Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Put Off Fixing Zero Day for 2 Years

posted by martyb on Monday August 24 2020, @04:33AM   Printer-friendly
from the signed-means-safe,-right? dept.

upstart writes in with an IRC submission:

Microsoft Put Off Fixing Zero Day for 2 Years:

One of the 120 security holes Microsoft fixed on Aug. 11's Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted since it was signed by the author.

Microsoft said an attacker could use this "spoofing vulnerability" to bypass security features intended to prevent improperly signed files from being loaded. Microsoft's advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.

[...] "In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows," Quintero wrote.

[Emphasis from original retained.]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Microsoft Put Off Fixing Zero Day for 2 Years | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Spam) by Anonymous Coward on Monday August 24 2020, @06:00AM

    by Anonymous Coward on Monday August 24 2020, @06:00AM (#1041057)

    https://www.thesun.co.uk/news/worldnews/12444192/monkey-slave-schools-coconuts-supermarket-thailand-sex-street-performers/ [thesun.co.uk]

    MONKEY BUSINESS Snatched from their mums, chained & tortured – how helpless monkeys are sold to ‘slave schools’ and even used for sex

    Forced to wear make-up and raped

    Sickeningly, it’s not just exhausting farm work primates are forced to carry out.

    In an exclusive interview with The Sun, former director of Borneo Orangutan Survival Foundation UK Michelle Desilets previously revealed the full horror of Pony - the female orangutan who had been forced to work as a prostitute for remote farm workers in Borneo.

    Chained to a bed, men could choose to pay to have sex with her – and she was shaved daily and made to wear perfume and jewellery.

    Laying bare the sheer terror of Pony’s life, Michelle said: “It was horrifying. She was a sex slave – it was grotesque.

    "She was covered in abscesses, and they put make-up and earrings on her.

    “She must have been in so much pain. It was horrible to think about how terrified she must have been.”

    Starting Score:    0  points
    Moderation   -1  
       Spam=1, Total=1
    Extra 'Spam' Modifier   0  
    Total Score:   -1