The CVE-2020-1464 vulnerability was part of the 120 security flaws addressed in August’s Patch Tuesday. This vulnerability particularly stands out as it was actively expoited in malicious attacks for at least two years before Microsoft fixed it.
What Is CVE-2020-1464?
According to the official description provided by Microsoft, the issue is a spoofing vulnerabilities triggered by the incorrect way Windows validates file signatures. In case of a successful exploit, the attacker could bypass security features and load improperly signed files.
The fix which was released in this month’s Patch Tuesday, corrects the way that Windows validates file signatures.
According to Brian Krebs, attacks based on CVE-2020-1464 were first observed two years ago, in August 2018, when several researchers got in touch with Microsoft informing them about the problem. However, there is no mention of this in Microsoft’s advisory, although the company acknowledged the bug was actively exploited in attacks.
In a blog post dedicated to the vulnerability, Brian Krebs shares the following:
Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.
According to Quintero, this vulnerability could be very dangerous if an attacker were to use to hide malicious Java files (.jar). This attack vector was in fact detected in a malware sample shared with VirusTotal.
This means that an attacker could append a malicious JAR to a MSI file signed by a company such as Microsoft or Google. The resulting file could then be renamed with the .jar extension, still having a valid signature according Microsoft Windows. What is quite curious is that Microsoft acknowledged Quintero’s findings but refused to address the issue when it was first reported, as visible by the researcher’s original post from 2019.
Quintero is not the only researcher that raised concerns about the vulnerability, as others quickly followed him with separate findings of malware attacks abusing the issue.
The simple question is why Microsoft had to wait two years before properly patching the actively exploited CVE-2020-1464.
Not the First Time Microsoft Refuses to Patch a Zero-Day
This is not the first case of such magnitude, when Microsoft has been too reluctant to address critical zero-day bugs in Windows. Just have a look at the stories linked below:
- Microsoft Fails to Patch Zero-Day Bug in Windows SymCrypt (June 2019)
- Microsoft Refuses to Patch Zero-Day Exploit in Internet Explorer (April 2019)
- Two Zero-Day Flaws in Edge and Internet Explorer Remain Unpatched (April 2019)