With last week’s Patch Tuesday, Microsoft fixed 120 vulnerabilities — including two zero-days — across 13 different products. Among these vulnerabilities was CVE-2020-1464 — which Microsoft describes as a ‘Windows spoofing flaw’ that allowed an attacker to bypass security features and load improperly signed files.
This flaw affects Windows code signing process which is responsible for verifying the software developer’s identity and ensuring that the code has not been altered since it was signed. An operating system relies on code signing to validate the integrity of the file being executed and if it can not validate it, the executable should be prevented from loading.
Because of CVE-2020-1464 flaw, Windows code signing continued to trust a Windows Installer (.msi) file even if it was altered to append code after it was signed. Which means Windows code signing was not working as expected, thus allowing attackers to modify executables to include malicious code and it will still be trusted and executed on a Windows device.
The good news is, Microsoft has patched this vulnerability last week along with more than a hundred others. The not-very-good news is, it took Microsoft two years to patch it.
CVE-2020-1464 – Ignored by Microsoft, Not Attackers
CVE-2020-1464 (known as ‘GlueBall’) was reported first in August 2018 after a sample was uploaded to VitusTotal. The flaw was immediately reported to Microsoft. In a January 2019 blog post, Bernardo Quintero, founder of VirusTotal, explained how a malicious MSI file disguised as a JAR file can be used to infect devices simply by double-clicking the file. Bernardo also mentioned that Microsoft had decided ‘not to fix’ the flaw.
When the details of the flaw were first made public, Bernardo concluded that VirusTotal had not found evidence of the technique being used to mass-distribute malware. But earlier in June this year, security researchers found evidence of GlueBall being exploited to deliver malware. It was only after this Microsoft decided to patch the flaw with last week’s updates.
As with any developer, Microsoft has a responsibility to fix security flaws but it seems they chose not to act upon GlueBall for whatever reason. If they thought of not fixing it because it wasn’t ‘widely exploited’ then it gives an idea about Microsoft’s priorities. As security researcher Tal Be’ery concludes, the way Microsoft had handled the vulnerability report seems rather strange and it was unclear why it was only patched now and not two years ago.
It’s needless to say you should be updating your Windows devices right away. While Windows 10 devices should be automatically updated, Windows 7 users can download a standalone package to patch CVE-2020-1464.