I just wanted to add that I'm also having the "Publisher Unknown" Issue for IntuitUpdater.exe.  I followed along with @diverjer 's initial analysis and I'm seeing the same thing as of March 1st, 2024.  When I start my freshly installed turbo tax it does one update with out the "User Account Control" yellow box, but then all subsequent update attempts are giving me the "Publisher Unknown" warning.  My current installed TurboTax version is 2023.47.21.48.  The "C:\Program Files\Common Files\Intuit\Update Service v5\IntuitUpdater.exe" does not appear to be getting updated as the date on mine is 9/15/2023 12:46AM, and the initial update ran today 3/1/2024.  The version for IntuitUpdater.exe is 5.1.50.0 (according to the properties dialog).

I also grabbed the details from the "Publisher Unknown" warning but I'm uncertain if any of the tokens in there need to be kept private.

I thought I should add that I purchased Turbo Tax Delux from Amazon and used the Amazon download to install it on Windows 11 Home, Version 22H2, OS Build 22621.3155.

I helped my mother install her Turbo Tax Premium, purchased from Costco, on her Windows 11 Laptop and encountered the same "Publisher Unknown" warning for updates after the initial update.  I beleive she downloaded the install package directly from Intuit. 

Retired cybersecurity guy here, first time using TT in a long long time. Got the "unknown" message, went in and checked the updater files, all are signed with an internal untrusted root.

called support and was told to tell windows to trust the files 🙂

It looks like nobody at Intuit is paying attention, right? This thread looks like it's just everyone noticing the same thing but I don't see anything about a fix. I see mention of a security token but that's not how things should be done. The updater executables are all supposed to be signed with a trusted root, or else we have to rely on TT to perform the signature check which seems lame.

If I don't see any indication there's a fix I'll submit a bugcrowd ticket and see what happens.

Yes it sure doesn't give you that comfort level when your tax software has certificates that are not trusted.  As I said once before, I called and the person didn't have a clue what I was talking about.   Now instead of getting the yellow invalid certificate message, it just updates with no UAC pop up message.  All other updates, get the UAC messages.   

It seems Turbotax just don't care or they would explain this issue!   Only help they got is someone who is suppose to know how to do taxes.   Not any staff that has an ounce of technical ability on software seems to be available.

 After around 17 years of using them, I think I will change next year.  Mine aren't that hard, I even found 2 errors they have, but they were nothing I couldn't fool the software into doing what I wanted.  One error was I need a federal report for itemizing even though I didn't have enough to itemize on federal.  I did enter all I could for itemizing knowing it wouldn't be enough, but also knowing it would be transferred to my Kansas return.  It is enough to itemize on my Kansas return, just not federal.  Turbotax won't ask for itemizing on the state return, so you have to do it on federal even though you know it won't be enough.  However, I could itemize in Kansas and they wanted a copy of that federal report that wasn't generated.   The other error one was just cosmetic where they left off an amount on a report that only I would use, same error was on last years.   Sorry that's off topic of this thread- me bad.  Already sent taxes in and paid them worthless politicians.

Absolutely ridiculous that they are not taking this issue seriously! Wonder what their QA team is up to!

I am also getting this message on update attempt.  Does Intuit take financial data security seriously?

It would appear that they are not taking system software security seriously by not doing a certificate check.  One wonders if they take our tax data security at that same level?  Sad!

I though this through some more: IF they are validating the updater themselves - it is signed -  and the verification key is in the (signed) main program it COULD be just about as secure as as a code-signing-cert-signed executable checked by the OS as long as they implemented it a correctly.

But if the main program doesn’t validate, and the warning is because the OS signature check doesn’t trust the cert, an attacker can intercept the flow and present the OS with an arbitrary binary with signature validated by the attacker’s cert. Malware would need to be installed and running in order to hook into the program flow - not a trivial undertaking but still.

If they used a trusted code signing cert all this noise would go away - which the right thing to do.

Another problem is that triggering a warning message and expecting the user to ignore it is a security anti-pattern that promotes bad user behavior.

It would be nice if the team would respond! Meantime I’m betting on their implementation being “good enough” because an attack would be a fair amount of effort if my suppositions are correct.

Intuit, you can hire me as a security architect if you like.