Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday August 24 2020, @04:33AM   Printer-friendly
from the signed-means-safe,-right? dept.

Microsoft Put Off Fixing Zero Day for 2 Years:

One of the 120 security holes Microsoft fixed on Aug. 11's Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted since it was signed by the author.

Microsoft said an attacker could use this "spoofing vulnerability" to bypass security features intended to prevent improperly signed files from being loaded. Microsoft's advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.

[...] "In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows," Quintero wrote.

[Emphasis from original retained.]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Anonymous Coward on Monday August 24 2020, @07:01AM (3 children)

    by Anonymous Coward on Monday August 24 2020, @07:01AM (#1041063)

    Wikipedia:

    A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software) and is being actively exploited in the wild.

    This is
    * a vuln
    * unaddressed by MS
    * not publicly known
    * was being actively exploited

    This is a 0-day.

    Starting Score:    0  points
    Moderation   +5  
       Insightful=2, Informative=3, Disagree=1, Total=6
    Extra 'Informative' Modifier   0  

    Total Score:   5  
  • (Score: 4, Informative) by canopic jug on Monday August 24 2020, @12:17PM (2 children)

    by canopic jug (3949) Subscriber Badge on Monday August 24 2020, @12:17PM (#1041105) Journal

    This is a 0-day.

    Except that according to the fine article it was spotted in 2018, M$ was reminded 18 months ago. It's even in the headline of the Krebs blog post, "Microsoft Put Off Fixing Zero Day for 2 Years".

    In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

    So, nope, not a 0-day.

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 1, Informative) by Anonymous Coward on Monday August 24 2020, @06:36PM (1 child)

      by Anonymous Coward on Monday August 24 2020, @06:36PM (#1041261)

      What?

      * a vuln

      Check.

      * unaddressed by MS

      Check.

      * not publicly known

      Ok this depends how you define "publicly". The 0day defn clearly includes bugs that the developer knows of but is not patching. Having one or two security researchers make non-public disclosures only to MS is not in public. Being exploited but not identified as being exploited is also in the 0day defn. It doesn't matter if it's publicly used, it's whether it's publicly /known/ to be, which slices non/0day.

      * was being actively exploited

      Was being. As you quoted, for 18mo.

      I don't understand - can you explain? Are you using a diff defn of 0day?

      • (Score: 2) by canopic jug on Tuesday August 25 2020, @06:21AM

        by canopic jug (3949) Subscriber Badge on Tuesday August 25 2020, @06:21AM (#1041509) Journal

        What? The fact that it is known by the vendor automatically removes it from the category of zero-day. Once that happens the clock is ticking. M$ was told about this bug several times, years ago.

        Here's what happens, not in any particular order:

        • black hats discover vulnerability
        • white hats discover vulnerability
        • exploits available to black hats
        • exploits available to white hats
        • vulnerability made public
        • vendor informed
        • vendor acknowledges vulnerability
        • vendor announces patch
        • vendor publishes patch
        • vendor publishes a patch that works
        • exploits used manually
        • exploits used by self-replicating tools

        Again, that's not in any particular order. Just because M$ is never ready with their patches, no matter how much advanced warning they get, until long after the exploits start rolling doesn't make the bug a zero-day.

        --
        Money is not free speech. Elections should not be auctions.