Microsoft Took Two Years To Fix This Critical Zero-Day Windows Security Exploit
For some inexplicable reason, it took Microsoft two years to finally patch a security flaw that it both knew about the whole time and was being actively exploited in the wild. That's the bad and/or curious news. The good news? It has finally been patched, with the recent cumulative Patch Tuesday update that arrived on August 10, 2020.
The vulnerability affects multiple versions of Windows, including Windows 10, Windows 8/8.1, Windows 7, and various Windows Server builds. As outlined in CVE-2020-1464, Microsoft considers the vulnerability "Important," which is one step below "Critical" and ahead of "Moderate" and "Low" in its security rating system.
What the Redmond outfit finally fixed is a Windows spoofing vulnerability that exists when Windows incorrectly validates file signatures. If exploited, an attacker could bypass security features and load improperly signed files, Microsoft explains.
This is a security feature inherent in Windows to verify the author of whatever code is about to be executed. If it can't be verified, then it is possible the code has been corrupted or manipulated for nefarious purposes. Obviously that is concerning, but what is particularly perplexing is why Microsoft did not plug up this security hole long before now.
Microsoft knew about this flaw since August 2018. As spotted by KrebsonSecurity, Bernarod Quintero, the manager at VirusTotal, blogged about it in January 2019, saying at the time "Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly."
That suggests Microsoft was not especially worried about this exploit, even though it had been spotted in the wild.
"This behavior could be used to hide and distribute malicious code in MSI signed files, in fact several security solutions rely on the output of Microsoft Windows code signing validation to avoid an in-depth scan when the file has a valid signature by a well-known and trusted software developer," Quintero wrote at the time.
When asked by KrebsonSecurity why this was left unpatched until now, Microsoft sidestepped the question, and instead simply stated that users who have automatic updates enabled in Windows will be protected.