Microsoft Put Off Fixing Zero Day for 2 Years:
One of the 120 security holes Microsoft fixed on Aug. 11's Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.
Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted since it was signed by the author.
Microsoft said an attacker could use this "spoofing vulnerability" to bypass security features intended to prevent improperly signed files from being loaded. Microsoft's advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.
In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.
Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.
[...] "In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows," Quintero wrote.
[Emphasis from original retained.]
(Score: 4, Informative) by Anonymous Coward on Monday August 24 2020, @05:13AM (10 children)
It's called a zero-day because programmers have had zero days to fix it. Once it's reported or disclosed, it's not a zero-day any more. Zero-day is not a term for "any random security problem."
(Score: 2, Touché) by Anonymous Coward on Monday August 24 2020, @05:28AM (1 child)
But zero-day sounds so kewl. Like cyberwarfare.
(Score: 2, Funny) by Anonymous Coward on Monday August 24 2020, @07:46AM
3-D printed Cybernautical Quantum Zero Day Hedge Overflow Trimmer. I want.
(Score: 1, Insightful) by Anonymous Coward on Monday August 24 2020, @06:16AM
You will lose this fight, like you lost the fight about "hacking" years before.
(Score: 5, Informative) by Anonymous Coward on Monday August 24 2020, @07:01AM (3 children)
Wikipedia:
This is
* a vuln
* unaddressed by MS
* not publicly known
* was being actively exploited
This is a 0-day.
(Score: 4, Informative) by canopic jug on Monday August 24 2020, @12:17PM (2 children)
This is a 0-day.
Except that according to the fine article it was spotted in 2018, M$ was reminded 18 months ago. It's even in the headline of the Krebs blog post, "Microsoft Put Off Fixing Zero Day for 2 Years".
So, nope, not a 0-day.
Money is not free speech. Elections should not be auctions.
(Score: 1, Informative) by Anonymous Coward on Monday August 24 2020, @06:36PM (1 child)
What?
* a vuln
Check.
* unaddressed by MS
Check.
* not publicly known
Ok this depends how you define "publicly". The 0day defn clearly includes bugs that the developer knows of but is not patching. Having one or two security researchers make non-public disclosures only to MS is not in public. Being exploited but not identified as being exploited is also in the 0day defn. It doesn't matter if it's publicly used, it's whether it's publicly /known/ to be, which slices non/0day.
* was being actively exploited
Was being. As you quoted, for 18mo.
I don't understand - can you explain? Are you using a diff defn of 0day?
(Score: 2) by canopic jug on Tuesday August 25 2020, @06:21AM
What? The fact that it is known by the vendor automatically removes it from the category of zero-day. Once that happens the clock is ticking. M$ was told about this bug several times, years ago.
Here's what happens, not in any particular order:
Again, that's not in any particular order. Just because M$ is never ready with their patches, no matter how much advanced warning they get, until long after the exploits start rolling doesn't make the bug a zero-day.
Money is not free speech. Elections should not be auctions.
(Score: 5, Interesting) by canopic jug on Monday August 24 2020, @07:18AM (1 child)
Furthermore, it gives all appearance of having been a bugdoor for those 540+ to 730+ days. Bugdoors are bugs known to the vendor but kept open, unpatched while various agencies get informed of their existence -- for a fee [tweaktown.com]. That's on top of PRISM [cnet.com] and worse ones like UPSTREAM [mashable.com] and the others. Only when there start to be too many exploits outside of those agencies does M$ actually get around to trying to patch them. Then, as usual, it takes a few tries to get it rightish. For PR purposes they like to try to act all surpised and caught off guard about it.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Monday August 24 2020, @04:57PM
this is what i figured was happening with these kinds of delays. of course windows users are also the same slaves that will say "who cares, i have nothing to hide. i want them to get the terrorists!"
(Score: 0) by Anonymous Coward on Monday August 24 2020, @01:24PM
Zero day is a term applied to an issue when it is first discovered. It isn't a count of the number of days since the issue was exposed. If the issue is found because it's being actively exploited then it's a zero day and remains a zero day.
(Score: -1, Spam) by Anonymous Coward on Monday August 24 2020, @06:00AM
https://www.thesun.co.uk/news/worldnews/12444192/monkey-slave-schools-coconuts-supermarket-thailand-sex-street-performers/ [thesun.co.uk]
MONKEY BUSINESS Snatched from their mums, chained & tortured – how helpless monkeys are sold to ‘slave schools’ and even used for sex
Forced to wear make-up and raped
Sickeningly, it’s not just exhausting farm work primates are forced to carry out.
In an exclusive interview with The Sun, former director of Borneo Orangutan Survival Foundation UK Michelle Desilets previously revealed the full horror of Pony - the female orangutan who had been forced to work as a prostitute for remote farm workers in Borneo.
Chained to a bed, men could choose to pay to have sex with her – and she was shaved daily and made to wear perfume and jewellery.
Laying bare the sheer terror of Pony’s life, Michelle said: “It was horrifying. She was a sex slave – it was grotesque.
"She was covered in abscesses, and they put make-up and earrings on her.
“She must have been in so much pain. It was horrible to think about how terrified she must have been.”
(Score: 5, Insightful) by PiMuNu on Monday August 24 2020, @08:23AM
This is not a bug. The code works exactly as planned. Legitimate developers have to pay Microsoft a tax to develop for their platform.