Microsoft Finally Fixed A Windows Bug, Two Years After It Was Discovered

Windows patched

As part of the August 2020 Patch Tuesday, Microsoft delivered some fixes to vulnerabilities found.

And this time, it includes a fix for the 20-year-old Windows print spooler bug, as well as a fix to the vulnerability that allowed MSI files to be converted into malicious Java executables while retaining a legitimate digital signature.

The bug that is tracked as CVE-2020-1464, is described by Microsoft as a spoofing vulnerability in how Windows validates signature files.

Spoofing vulnerability is when Windows incorrectly validates file signatures. Exploiting this kind of bug, hackers can bypass security features and load improperly signed files.

For example, hackers exploiting this bug could bypass security features intended to prevent improperly signed files from being loaded.

In a blog post, security researcher Tal Be'ery wrote that:

"Digitally signed files are more trusted by the Operating System. This higher trust allows such files to execute in sensitive contexts or excluded from Antivirus scans. Consequently, attackers are trying to spoof these digital certificates to gain these extended privileges for their malicious code."

Be'ery said that the bug was first reported two years ago on August 18th, 2018, and Microsoft originally stated the the big won't get fixed.

Because of this, Bernardo Quintero from VirusTotal in January 2019 disclosed how a malicious signed Java executable was uploaded and detected by VirusTotal Monitor service. And after inspecting the .jar file, Quintero found that the malware was actually an MSI file with a Java JAR file appended to it.

Even though this MSI file was tampered with and changed its format to .jar, Windows still considered the file to be signed by a valid certificate.

According to Tal Be'ery, when Windows reads an MSI file, it reads only the MSI signature from beginning to the end, and discards the rest. What this means, Windows simply ignores the appended data, regardless of what it is, after a valid MSI file structure is detected.

This could allow hackers to use this particular technique to create a Java-based malware to bypass Windows' security measures.

"This attack vector has been verified in the latest and updated versions of Windows 10 and Java available at the timing of writing (Windows 10 Version 1809 and Java SE Runtime Environment 8 Update 191). Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly."

But with the August 2020 Patch Tuesday, Microsoft is not longer considering MSI files to be signed, if they have been tampered by having .jar appended to it.

"While the technical details are pretty obvious, the way Microsoft had handled the vulnerability report seems rather strange," continued Tal Be'ery.

"It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild. Therefore, it is not clear why it was only patched now and not two years ago."

Published: 
18/08/2020