In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it.
This year I reported on some installer programs using this padding trick.
With MS13-098, Microsoft releases a patch to prevent this signature padding trick. This change in behavior will become active June 10th 2014.
But you can already activate it now by setting reg_sz key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck to “1”.
Here is the effect illustrated with my AnalyzePESig tool:
But beware of a potential issue with this regkey. Setting it to “0” will not revert to the old behavior (tested in VM with Windows XP SP3).
I had to deleted the key (actually, I renamed it) and reboot to revert to the old behavior. I informed Microsoft.
Didier Stevens 
I also tested MS13-098 and EnableCertPaddingCheck to “1″.
Afterthat Terminal Service didn’t start anymore unter Windows XP PRO SP3 German,
After remove of EnableCertPaddingCheck Terminal Service works fine.
Comment by Reto Felix — Wednesday 12 February 2014 @ 15:00
There’s a new announcement on https://technet.microsoft.com/en-gb/library/security/2915720
“V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.”
Comment by Anonymous — Thursday 7 August 2014 @ 23:44