turbotax icon
cancel
Showing results for 
Search instead for 
Did you mean: 
turbotax icon
cancel
Showing results for 
Search instead for 
Did you mean: 
Close icon
Do you have a TurboTax Online account?

We'll help you get started or pick up where you left off.

x
Do you have an Intuit account?

Do you have an Intuit account?

You'll need to sign in or create an account to connect with an expert.

Update message says unknown publisher Turbotax 2023 Deluxe

If you run Turbotax normally it runs without the admin token, but by running "C:\Program Files\TurboTax\Individual 2023\64bit\TurboTax.exe" as admin, that TurboTax.exe process runs the unsigned executable, and no elevation is needed to update files. The reason the UAC prompt is yellow instead of blue is because the certificate is not trusted by the system when elevating. You can see if a process is elevated by going to the details tab in Task Manager and enabling the "Elevated" column. 

 

I took some time to look at the permissions of the helpers in "C:\Program Files\Common Files" and the folder and files only have write permissions from administrators and system, so an attacker would've needed to do a privilege escalation to replace those "Test" signed .exe files anyway.

 

The problem you have with unsigned executables is that they can be swapped out, if an attacker can write to them, and elevated unexpectedly. 

 

I am unsure why the Intuit Update Service v5 (in services.msc) doesn't remove the need for anything to be launched. You don't need to elevate your session to update Google Chrome, for example, because it has a service do it. Either way... the effectively unsigned .exe should be fixed by Intuit. 

Update message says unknown publisher Turbotax 2023 Deluxe

I just wanted to add that I'm also having the "Publisher Unknown" Issue for IntuitUpdater.exe.  I followed along with @diverjer 's initial analysis and I'm seeing the same thing as of March 1st, 2024.  When I start my freshly installed turbo tax it does one update with out the "User Account Control" yellow box, but then all subsequent update attempts are giving me the "Publisher Unknown" warning.  My current installed TurboTax version is 2023.47.21.48.  The "C:\Program Files\Common Files\Intuit\Update Service v5\IntuitUpdater.exe" does not appear to be getting updated as the date on mine is 9/15/2023 12:46AM, and the initial update ran today 3/1/2024.  The version for IntuitUpdater.exe is 5.1.50.0 (according to the properties dialog).

 

I also grabbed the details from the "Publisher Unknown" warning but I'm uncertain if any of the tokens in there need to be kept private.

 

I thought I should add that I purchased Turbo Tax Delux from Amazon and used the Amazon download to install it on Windows 11 Home, Version 22H2, OS Build 22621.3155.

 

I helped my mother install her Turbo Tax Premium, purchased from Costco, on her Windows 11 Laptop and encountered the same "Publisher Unknown" warning for updates after the initial update.  I beleive she downloaded the install package directly from Intuit. 

Update message says unknown publisher Turbotax 2023 Deluxe

Retired cybersecurity guy here, first time using TT in a long long time. Got the "unknown" message, went in and checked the updater files, all are signed with an internal untrusted root.

 

called support and was told to tell windows to trust the files 🙂

 

It looks like nobody at Intuit is paying attention, right? This thread looks like it's just everyone noticing the same thing but I don't see anything about a fix. I see mention of a security token but that's not how things should be done. The updater executables are all supposed to be signed with a trusted root, or else we have to rely on TT to perform the signature check which seems lame.

 

If I don't see any indication there's a fix I'll submit a bugcrowd ticket and see what happens.

 

 

Update message says unknown publisher Turbotax 2023 Deluxe

Yes it sure doesn't give you that comfort level when your tax software has certificates that are not trusted.  As I said once before, I called and the person didn't have a clue what I was talking about.   Now instead of getting the yellow invalid certificate message, it just updates with no UAC pop up message.  All other updates, get the UAC messages.   

 

It seems Turbotax just don't care or they would explain this issue!   Only help they got is someone who is suppose to know how to do taxes.   Not any staff that has an ounce of technical ability on software seems to be available.

 After around 17 years of using them, I think I will change next year.  Mine aren't that hard, I even found 2 errors they have, but they were nothing I couldn't fool the software into doing what I wanted.  One error was I need a federal report for itemizing even though I didn't have enough to itemize on federal.  I did enter all I could for itemizing knowing it wouldn't be enough, but also knowing it would be transferred to my Kansas return.  It is enough to itemize on my Kansas return, just not federal.  Turbotax won't ask for itemizing on the state return, so you have to do it on federal even though you know it won't be enough.  However, I could itemize in Kansas and they wanted a copy of that federal report that wasn't generated.   The other error one was just cosmetic where they left off an amount on a report that only I would use, same error was on last years.   Sorry that's off topic of this thread- me bad.  Already sent taxes in and paid them worthless politicians.

SS62
Level 2

Update message says unknown publisher Turbotax 2023 Deluxe

Absolutely ridiculous that they are not taking this issue seriously! Wonder what their QA team is up to!

 

Update message says unknown publisher Turbotax 2023 Deluxe

I am also getting this message on update attempt.  Does Intuit take financial data security seriously?

Update message says unknown publisher Turbotax 2023 Deluxe

It would appear that they are not taking system software security seriously by not doing a certificate check.  One wonders if they take our tax data security at that same level?  Sad!

Update message says unknown publisher Turbotax 2023 Deluxe

I though this through some more: IF they are validating the updater themselves - it is signed -  and the verification key is in the (signed) main program it COULD be just about as secure as as a code-signing-cert-signed executable checked by the OS as long as they implemented it a correctly.

 

But if the main program doesn’t validate, and the warning is because the OS signature check doesn’t trust the cert, an attacker can intercept the flow and present the OS with an arbitrary binary with signature validated by the attacker’s cert. Malware would need to be installed and running in order to hook into the program flow - not a trivial undertaking but still.

 

If they used a trusted code signing cert all this noise would go away - which the right thing to do.

 

Another problem is that triggering a warning message and expecting the user to ignore it is a security anti-pattern that promotes bad user behavior.

 

It would be nice if the team would respond! Meantime I’m betting on their implementation being “good enough” because an attack would be a fair amount of effort if my suppositions are correct.

 

Intuit, you can hire me as a security architect if you like.

message box icon

Get more help

Ask questions and learn more about your taxes and finances.

Post your Question
Manage cookies