Among the 120 Windows 10 bugs fixed with the latest update distributed through the Windows Update service since August 11 was a thio 0-day vulnerability, used in the last two years to fake the digital signature assigned to Windows application developers.
A feature made available to application developers, signing executable files based on a digital security certificate is a very important security mechanism of the Windows platform, subsequent verification of the digital signature highlighting possible file corruptions or intentional alteration of the application code.
Windows applications compromised by modifying the installation kit
Highlighted since August 2018 as the source of cyber attacks, the vulnerability labeled CVE-2020-1464 seems to have been neglected by Microsoft, the company repeatedly ignoring reports received from independent sources.
Detailed in a post on the VirusTotal blog, a service owned by Google that scans files sent for verification by comparing them against dozens of antivirus engines, the vulnerability can be exploited to hide an infected Java (.jar) file without a digital signature of the application to be altered. Specifically, Windows incorrectly retains a valid Authenticode signature even after additional content is added to the end of Windows Installer files (those that end in .MSI).
“An attacker can add a malicious JAR to an MSI file signed by a trusted software developer (such as Microsoft Corporation, Google Inc., or any other known developer), and the resulting file can be renamed with a .jar extension. and will have a valid signature in accordance with Microsoft Windows “, wrote the manager of VirusTotal, Bernardo Quintero. “Microsoft has decided not to resolve this issue in current versions of Windows and has agreed to publish our revelations on the blog.”
Elusive explanation from Microsoft
Asked to comment on why they waited two years to fix a vulnerability that was actively exploited to compromise the security of Windows computers, Microsoft representatives avoided the question, stating only that Windows users who have applied the latest security updates are protected by this attack.
“A security update was released in August,” Microsoft said in a written statement to KrebsOnSecurity. “Customers who apply the update or have automatic activations will be protected. We continue to encourage customers to enable automatic updates to ensure that they are protected. “