Microsoft had known about the spoofing vulnerability for almost two years, but it released Windows security patch just now

Microsoft has recently released its August Security patches to address 120 common vulnerabilities and bugs. These patches are for Windows and Microsoft browsers, including Microsoft Office, SQL Server, Microsoft Dynamics, NET Framework, Microsoft JET database engine, and ASP.NET Core.

Two of these vulnerabilities are under active attack. One of them is an important spoofing vulnerability (CVE-2020-1464). It affects most of the supported and unsupported Windows systems, especially Windows 7, Windows 8.1, Windows 10, and some of the server versions of Windows. This vulnerability allows an attacker to load improperly signed files. Basically, an attacker can load any file and trick Windows into taking it as a legitimate file from a trusted source. This can let the attacker to successfully exploit and bypass security features that are intended to prevent improperly signed files from getting loaded in the first place.

This vulnerability was known publicly, and Microsoft has admitted that even the company knew about it since 2018! The company had already detected the bug and the exploitation, but for some unknown reason, it took around two years to release a security patch for it.

If Microsoft had released this security fix in 2018 instead of August 2020, all the devices with Windows 7 would have received the fix. However, they are exposed to attacks and can no longer receive security patches because the support for Windows 7 has ended in January 2020. So, the old devices with Windows 7 are all left exposed, and that is a pretty sad thing to happen.

Bernardo Quintero, the manager of VirusTotal had found this vulnerability and had reported it to Microsoft. The company had decided to not fix the issue in the current versions of Windows at that time, although the security researchers were allowed to blog about their case findings publicly.

Another security researcher who is also the founder of KZen Networks, Tal Be’ery claims that Microsoft had known about this vulnerability in the summer of 2018. It is so strange that despite knowing that the bug had been exploited for so long, Microsoft did not do anything to fix it at that time.

When Microsoft was questioned about it, it avoided answering and giving any logical reasons for being lazy about providing a security patch for a good two years!

Even now, this vulnerability is rated as ‘Important’ only, which is a gross understatement according to Todd Schell who is a senior product manager for security at Ivanti.

Schell says that this vulnerability has a base score of 5.3 given by the Common Vulnerability Scoring System (CVSSv3), although it is being actively exploited. This is an example of how prioritization can miss priority items. Schell says that CVSS scores of a certain level or higher should have some other metrics to catch the publicly disclosed and exploited vulnerabilities.



Read next: How to Secure Your Smart Home Devices

No comments:

Post a Comment