This week’s Mystery Theater. Microsoft, for all infinite wisdom, took 2 years to fix a Windows security flaw. One that it is said was first reported to the company in 2018, and was being exploited in the wild.
It was taken care of in the newest Patch Tuesday updates.
While this cycle of patches that came out last week included fixes for quite a number of bugs, the Windows maker also drew some criticism for handling of a security vulnerability that was reported to it by Google.
Interestingly, it was another Google owned firm that reported this 0-day exploit.
The newly released CVE-2020-1464 contains the fix for what is a spoofing vulnerability that has Windows incorrectly validating file signatures. This could potentially allow an attacker to bypass security features intended to prevent improperly signed files from being loaded.
What’s worse, this vulnerability was first discovered being exploited back in August 2018 by VirusTotal, a service owned by Google.
The exploit was internally called “GlueBall”, and was immediately reported to Microsoft. While the software titan acknowledged the issue, it stated that it would not fix it in the operating system — reasoning not provided.
Extremely strange behavior from the company, who only began to take this issue seriously in June of this year when the issue was once again highlighted on social media.
A proper fix was finally released in this month’s Patch Tuesday, with the flaw being present in a whole array of Windows versions. Starting with Windows 7, 8, 8.1, RT 8.1, Server 2008, 2012, 2016, 2019, and Windows 10 all the way up to version 2004.
The software titan sidestepped the question regarding the reason for waiting until now for a patch, but its resolution now means that Windows 7 devices that are exposed to the attack no longer receive the fix for this vulnerability.
Microsoft’s security woes just doubled up.