My RMM seems to have downgraded TB from 91.8.1 to 38.5.0
Hi All,
I know that the first answer to this is going to be "ask your RMM provider" but...
I use Datto RMM and they have an integration that can install and keep TB up to date with the latest patches. I have TB installed in a stock system image that I use (v60 something I think) for one particular customer.
Unbeknownst to me, for the past few weeks RMM has been complaining that the downloaded TB installer "did not pass verification checks for its digital signature." and it had been failing to install updates. I'm still trying to find out exactly what that means, I understand what I says, but not why it didn't pass.
Up to this point it was identifying the currently installed version as "Mozilla Thunderbird (x86 en-US)" without giving a specific version number. I assume it was pulling this info from windows directly although I'm not sure and will ask Datto support.
From the RMM logs I see that a couple of days ago it stopped complaining about the digital signature and "upgraded" using the installer from https://download.mozilla.org/?product=thunderbird-91.8.1-SSL&os=win&lang=en-US.
The following day, it started reporting that the installed version was "Currently installed: Mozilla Thunderbird 38.5.0 (x86 en-US)" and I started getting support calls as "all of my email has vanished".
Uninstalling 38.5.0 and re-installing with a cleanly downloaded copy of 91.8.1 resolves the issue.
So, can anyone shed any light on what might have been going on here. Has there been a problem with the code signing cert?, was this a supply chain attack?, did someone accidentally upload a 7 year old build of the installer?
I think my problem is resolved but I would really like to be able to work out what the heck happened.
Anyone got any insight?
All Replies (3)
Whatever installer the RMM was fetching, somehow had an invalid signature, or the RMM thought so. Are the logs not showing which version or where it was fetching that installer from at that particular time?
Hey Stans, thanks for coming back to me.
I've asked Datto to confirm what exactly it was that it didn't like about the signature.
The installer lists several download URL's;
- https://download.mozilla.org/?product=thunderbird-latest-SSL&os=win64&lang=en-GB
- https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/91.8.0/win64/en-GB/Thunderbird%20Setup%2091.8.0.exe
- https://download.mozilla.org/?product=thunderbird-91.8.0-SSL&os=win&lang=en-US
It appears to have used the last one as the download (I assume it derives the last one from the first 2 via some re-direction). They all look to be legit honestly I wondered if there had been some strangeness going on with the downloads.
I've not seen any reports about invalid signatures. We would have seen them, even if just a handful. Some security program, especially Windows Defender Smartscreen, would have complained about it, so I strongly doubt there has been any issues with the code signing certificate.