Oculus Rift helmets did not work for almost 24 hours because of the expired certificate of code signature

Oculus Rift helmets did not work for almost 24 hours because of the expired certificate of code signature  
March ? 201? the owners of virtual reality helmets Oculus Rift were in an extremely unpleasant situation. In one day their gadgets suddenly stopped working , issuing the error "Can not Reach Oculus Runtime Service".
As it turned out, the problem arose due to expiration of the certificate of code signing for the dynamic library OculusAppFramework.dll , which is part of the Oculus Runtime Service. It just did not load. The expiration date of the certificate is specified in the file:
Valid to: Wednesday, March ? ???:00:00 PM
became mandatory with the version of Windows 10 build 1607 . Unsigned drivers are simply not loaded, with some exceptions (for example, if the Secure Boot option is disabled or if the file is signed by a cross-certificate issued before July 2? 2015).
As the investigation showed, the signature from the time stamp server disappeared after the Oculus upgrade from version ??? to 1.2? which took place just over a month ago. The reason for what happened is not yet clear. There are versions that the signature could not be supplied during automatic assembly, if at that point in time the time stamp server was down.
The company during the day released patch , replacing the file OculusAppFramework.dll in system. To start the patch in the Windows operating system, you need to disable the antivirus (in Windows Defender just go to the link ) More info and press the button .Run Anyway ). After installing the patch, the Oculus Runtime Service is updated from the server - and the helmet is running again.
The patch appeared on the morning of March 8. That is, because of this, without understating the slovenliness of the company's employees, all the Oculus Rift helmets in the world went out of action for almost a day. These are the consequences of one wrong certificate of code signing.
Co-founder of the company Nate Mitchell brought a public apology and promised to give all the victims loans in the Oculus Store for $ 15.
Rift is back online as of ~ 12am. This was a mistake on our end, and we apologize. Folks impacted by today's downtime will be provided with an Oculus store credit. More details to follow soon. Thanks again for everyone's patience as we worked through this one.
- Nate Mitchell (@natemitchell) March ? 2018
Initially, loans were given only to those who specifically apply for them. The fact is that the VR helmets were still loaded in mode. Oculus Home , where you can perform some actions. So, not all users formally became victims. But later the message appeared. , that within seven days credits should be added to all who installed the update.
What conclusions can be drawn from this story?
Thousands of users were injured. Because of its own oversight, the company itself suffered damage if it actually charged $ 15 of a loan to a significant portion of Oculus Rift users. The company was fortunate that it did not receive legal claims from major clients, as Oculus VR systems are also used in the corporate sector: for example, for presentations, promotions, etc. One of the clients is said , that on March 6 their company held a large presentation for a large brand. If the problem with the certificate happened one day earlier, then the event would have to be canceled.
Another victim is says that their startup has been developing software for training surgeons in the VR environment for several months. Last week they were preparing to give a presentation at a big medical conference, but the Oculus Rift helmets went down the morning of the day of the conference . Fortunately, one programmer of the company quickly figured out the problem - and found out that you can run the program if you roll off the Windows system clock a couple of days ago.
The only expired certificate could result in more serious financial losses for Oculus than a $ 15 loan for all affected users. One can imagine that helmets VR and other devices of the Internet of things will spread all over the place. For example, they will be used in real surgical operations - and suddenly all of them suddenly fail at the same time because of such a program error.
Inattention with the validity period of the code signing certificate is entirely the fault of Oculus, and no one else. If you forget to attach a signature from the server of time stamps, the signed files are actually turned into a "time bomb" that will explode as soon as the certificate expires. For example, GlobalSign produces certificates of the code signature for a period of ? 2 and 3 years
Someone might ask why you should even install this "time bomb" into your software, that is why you need to sign the code. But there is no other way out: this is Microsoft's requirement for certain categories of files. If the executable code for Windows is signed, then almost at any time you can "prohibit" its execution on all computers. This is a compromise between freedom and security. In this case, the choice is made in favor of security. So the blame for such incidents in some sense lies with Microsoft, which created a "single point of failure" to protect against injection of code.
It can be assumed that in the future such incidents will occur more often, since the verification of the code signature becomes more thorough due to security threats, and because operating system developers want to get a percentage of the profits from selling programs through proprietary program directories - and push all developers to sign code. For Microsoft, this is a potential source of additional revenue of the billions of dollars that it was previously deprived of.
Oculus does not spread through the Windows Store and Microsoft does not pay 30% of the deductions (at least for now). But for system drivers, it is obliged to implement a code signature to protect against injection and guarantee the preservation of the original files. Although in the end Microsoft certainly expects to attract both Oculus and all other developers to its Windows Store.
Anyway, but the developers have almost no way out. I have to use certificates. But at the same time you need to be careful to avoid incidents like Oculus.
+ 0 -

Add comment