Microsoft fixed quite a number of bugs in this month's Patch Tuesday update, which came out last week. While it packed numerous fixes for various versions of Windows, it did draw some criticism for the handling of a security vulnerability that was reported to it by Google.
However, it appears that the Redmond giant's security woes are not yet over as a new report claims that the firm just fixed a Windows zero-day exploit that was reported to it back in 2018.
Last week, Microsoft fixed a security hole in various versions of Windows that mainly deals with the operating system's incorrect handling of file signatures. In CVE-2020-1464, the company noted that:
A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.
The update addresses the vulnerability by correcting how Windows validates file signatures.
In a blog post on Medium, security researcher Tal Be'ery has explained that Bernardo Quintero, a manager at VirusTotal - a service owned by Google - first discovered the vulnerability being exploited back in August 2018. This exploit, internally called "GlueBall", was immediately reported to Microsoft and the findings were published in January 2019 by Quintero. Microsoft acknowledged the issue and added mitigation actions in supporting tools, but stated that it would not fix the issue in the operating system itself. The reasoning behind this decision is not public.
After this, several blog posts were published by other people, explaining how to use GlueBall to exploit Windows. Then in June 2020, GlueBall was once again highlighted by prominent social media accounts.
It would seem that roughly around this time, Microsoft began to take this issue seriously and a proper fix to the gaping security hole was finally released in this month's Patch Tuesday. According to Microsoft's security advisory, this flaw was present in Windows 7, 8, 8.1, RT 8.1, Server 2008, 2012, 2016, 2019, and Windows 10, going all the way up to version 2004, and that it was exploited across numerous versions of the operating system.
In a vague statement to KrebsonSecurity, Microsoft stated that:
A security update was released in August. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.
The handling of this incident from Microsoft's end is extremely strange, to say the least. One has to wonder why Microsoft delayed fixing a Windows security flaw for nearly two years, especially when it was present in virtually all major versions of the operating system.