Tenable "invalid signature" on xul.dll

User885 · 2024-11-18T21:55:57+00:00

Tenable has identified a "critical" security vulnerability for an invalid digital signature on xul.dll in Zotero 7.0.9. Is there a fix for this?

dstillman · 2024-11-20T12:08:17+00:00

xul.dll is a Firefox file that we include in Zotero. We don't re-sign it, since Windows itself doesn't enforce code signatures on DLLs. It sounds like Tenable does.

I don't think anyone else has ever reported a problem with this, but we'll look into re-signing all DLLs during the build process.

In the meantime, if you or your IT department is able to mark this as a false positive, you should do so.

dstillman · 2024-11-20T18:53:59+00:00

@User885: Actually, there's a change in Zotero 7 here that could be causing this. We'll have an update soon.

User885 · 2024-11-20T19:04:44+00:00

Thanks for the update. If it helps...

https://s3.amazonaws.com/zotero.org/images/forums/u15779595/6pmfciyjtdgpkvgtwemw.png
https://s3.amazonaws.com/zotero.org/images/forums/u15779595/md9phju3s6ubqhgpibdx.png

You're right, Windows doesn't care, but Tenable sure does. Doesn't like the Mozilla signature and/or the DigiCert co-signature.

dstillman · 2024-11-21T10:25:38+00:00

OK, this should be fixed in Zotero 7.0.10-beta.3, available within a few minutes, and the fix will be included in 7.0.10 soon. Thanks for reporting.