August 17, 2020

A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.

One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author.

Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded. Microsoft’s advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months.

Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer.

Quintero said this weakness would be particularly acute if an attacker were to use it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed detected in a malware sample sent to VirusTotal.

“In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote.

But according to Quintero, while Microsoft’s security team validated his findings, the company chose not to address the problem at the time.

“Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded.

Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file uploaded to VirusTotal in August 2018 that abused the spoofing weakness, which has been dubbed GlueBall. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs.

More recently, others would likewise call attention to malware that abused the security weakness, including this post in June 2020 from the Security-in-bits blog.

Image: Securityinbits.com

Be’ery said the way Microsoft has handled the vulnerability report seems rather strange.

“It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild,” he wrote. “Therefore, it is not clear why it was only patched now and not two years ago.”

Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack.

“A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

Update, 12:45 a.m. ET: Corrected attribution on the June 2020 blog article about GlueBall exploits in the wild.


53 thoughts on “Microsoft Put Off Fixing Zero Day for 2 Years

  1. TheFed

    Arrogance coupled with Stupidity. Must be nice to be a billion dollar corp with the immunity of giant corporate walls. Long ago Microsoft “should” have been forced by the US Gov to take responsibility for all the trouble their vulnerable software has caused.

    1. Just Thinking

      What’s to say it wasn’t being actively used by the government? I think they should port this patch backwards to those who have Windows7 machines, since it was a known exploit at that time.

      1. Dave

        That was my reaction too, the comment “Customers who apply the update, or have automatic updates enabled, will be protected” should continue with “unless you’re running Windows 7”, which is out of support now but was very much in support when Microsoft became aware of this.

    2. BaliRob

      “TheFed

      Well said – I wish that they had been my words. I am sick and tired of Microsoft’s attitude to us mere mortals. I still do not have the courage to Update my Win8.1 from last August-October Update fiscos. With no apologies or recompence for the losses that their CRAP updates caused to my desktop at that time.

      1. Luc

        Give Linux a try if you don’t like windows. It has its issues but it’s a lot better.

      2. LinuxMan

        Why are you still using Windows? Its a horrorshow. Everyone knows it. Linux is far superior in quality, usability, and common sense, in addition to security.

        1. Rick

          Linux more usable than Windows? I can’t believe that someone actually a) said that and b) believes that…and not necessarily in that order.

    3. Thomas Lionel SMETS

      It is blatantly obvious that some (US ?) Gov agency are behind this ! Dodging the question as they did is sooooo unprofessional that it ought to be suspicious !
      My 1.5 cents on the matter.

  2. Niteprowl2

    2 years ago they would have had to update Windows 7 and 8 before going to Windows 10. Now they can disregard any users other then Windows 10 users and shirk their responsibility to everyone else. That sucks!

  3. Dennis

    They treat security researchers quite badly. My friend and I submitted several vulnerabilities to them with several pages of PDF documentation and a working PoC. And we received a one sentence reply that they thanked us and that they will forward it to the correct dept. The bottom line – it’s still not fixed. Probably 6 months after. So, Pretty much the same story. My guess is that there are so many vulns in their OS that they pick only the worst remove code execs. The rest is swept under the rug.

    1. Thomas Lionel SMETS

      Dennis,
      Just publish them after the 30 days grace period is over !

  4. Phil

    My gut hunch: Because patching it immediately would likely have required crippling the very heart & soul of what Microsoft is in business for: making sure everyone has paid up! And now they have finally replaced that core with an updated method

  5. PHP

    Surely by request by NSA.
    Security services needs backdoors. If they can not get Microsoft to put them in, maybe they can get them to delay patching.

    1. Philip Elder

      Concur.

      Yeah, that’s a bit tinfoil hat, but given the craziness in the world over the last few years, I’m a gonna say, “Yup”.

        1. leetoburrito

          Indeed do you need a reminder of _NSAKEY / advapi32.dll?

      1. RunningBurningMan

        OK, Phil, I’ll bite! What is “the craziness in the world over the last few years” and how does it relates to this or these issues?

        Huh?

  6. Visatronics

    What I would like to know is why every new windows PC has expired security certificate’s installed, even a brand new oem windows o.s. disk will install expired certificate’s. Even brand new Android phone’s has expired certificate’s installed from the factory. I’m my opinion every windows PC and Android has security holes before you purchase.

    1. YouAreStupid

      Expired certs does not present a security flaw. It just means the services checking them will throw out valid requests until the certs are updated. You clearly have no clue how certificates work.

    2. i'm a person

      Expired Certs don’t pose a threat. Still weird that they’re there

      1. Kieran

        No, certificates may still be part of s valid chain of trust. When you sign code, this is the reason you countersign with a timestamp server, so that even when your certificate expires, the signature was and therefore is still valid.

  7. Silly Rabbit

    No one ever thinks that maybe the (insert multi-letter agency) were hamstringing Microsoft into not performing the update because they were actively using the vulnerability to exploit and spy on an active TOI at the cost of civilian security?

    You don’t actually believe a windows install needs to be over 6 GB ?

    1. Doubtist

      I tend to believe a more mundane explanation is equally likely.

      Like OEM/3rd party enterprises/vendors using invalid sigs or just ignoring the issue for so long that going back to fix all the critical .msi’s over the decades with proper sigs would be more work than the actual security afforded in the minor method.

    2. William

      Maybe it was the multi-lettered agency that told Microsoft to tighten it up…..

    3. Kadragon

      Many Linux distributions require similar storage space as Windows. It’s not Windows taking up a lot of space. Operating Systems taking up more drive space. Ubuntu 20.04 out of the box takes up a similar amount. Some other non-light-weight distributions take up similar amounts once you get them set up.

  8. LexNoxa

    Consequences of stupid society.
    There is today excellent open source alternatives to microsoft for both corporate as personal users but Microsoft keep existing. The problem is due to common laziness mixed with pure stupidity giving this kind of companies an existence.

  9. Marc

    Microsoft offers fair to poor service to customers – not news. Frustration and at times anger wells up but changes nothing. Calls for government regulation requires a broken agency to improve a broken agency. How about not using MS anymore? Stop using MS O/S and hardware products. Tell Microsft you stopped and send a copy of a receipt that shows you stopped. Customers have the power to bring change. If you do nothing that is exactly what will change.

  10. Mahhn

    You’re all silly calling this an exploit, it’s a feature.
    The feature has been replaced with another one.

  11. hurrraaa

    usa is only country where the fraud and scams are existing
    usa security system is from windows 90s lol
    europe and the rest of the world is all ready ahead usa still behind
    its what usa cant hire guys who will make secure it system??
    or what is the problem?

    guys update you it and everybody can sleep well

    1. Doubtist

      “usa is only country where the fraud and scams are existing”

      Oh, Ok Beijing.

  12. Judas

    If this were made public and patched while Windows 7 was still in support, they would have had to patch it too… which might have been different/more difficult than only addressing Win10

    Waiting until Win7 reached EoL means they dont have to develop fixes for it…. much easier since you only have to support 1/2 the versions.

    You just have to let your users sit exposed to a critical vulnerability for a couple years, then you can save yourself some dev time.

  13. Winston

    “We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

    Doesn’t do much good if Microsoft doesn’t provide a patch for two years, thereby allowing two years for a machine to be compromised with malware with “official” ring zero permission.

  14. Elliott

    Many here are quick to judge, but I suspect that there’s more to it than, arrogance or stupidity on Microsoft’s part. Think what you want. They supply fixes every month, just as every other software entity does, so why not this one?

    “Be’ery said the way Microsoft has handled the vulnerability report seems rather strange.”

    Perhaps it might be worth pausing the knee-jerk once in a while and think for a moment.

    The examples of the exploit that are cited here are using Java. Everyone reading Krebs has removed Java, right?

    1. Elliott

      I’m pretty sure that I just asked for conspiracy theories.

      I’m sorry.

  15. Steve

    Elliot is right – I don’t see an actual vulnerability here.

    The claim is that the resulting file “will have a valid signature according Microsoft Windows” but the screenshot only shows a valid signature being reported by Windows Explorer. Explorer != Windows. Explorer isn’t even automatically trusted by the rest of the operating system (it can’t be, because otherwise malware could easily take control of it.)

    I don’t think I’ve _ever_ looked at that tab. It rarely, if ever, contains useful information.

    The only “vulnerability” I can see here is that an ignorant _human_ might look at the file properties of a .jar, see a digital signature, and incorrectly conclude that the .jar was signed by whomever. That is undesirable, and I would definitely classify it as a bug, but that’s not a software vulnerability, that’s a human vulnerability (ignorance of the limitations of the .jar format, and the details underpinning the Digital Signatures tab on the property sheed.)

    Unless the presence of such a signature allowed a .jar to be executed when Group Policy would otherwise have blocked it, it’s not a vulnerability in the operating system itself.

  16. John

    Does the JRE allow the file vs signature mismatch or Windows which allows the JRE to run a jar with a mismatch ?

    In any case, the problem appears to be allowing the size mismatch. How hard could this have been to fix.

  17. JJ

    Two possible explanations:

    – idiocy, in the typical MS vein

    – covering for the NSA that was actively using that exploit and needed to find a new one before MS plugged it (maybe NSA didn’t find a new one and MS said, sorry, two years is enough, or maybe the NSA found a new one)

    1. Catwhisperer

      That was my thought, that the vulnerability was being used by clandestine services…

      1. doubtist

        But they wouldn’t need it. Let’s face it, this is a weak vuln.

        Code signing spoof tricks ONE aspect of Windows, and only one, at time of software installation. The user is involved also.

        Believe you me, the NSA’s ability to alter your windows install does not rely on the user clicking “proceed” in actuality after manually starting an install containing an exploit.

        It’s low-lying fruit for 3rd parties to hit enterprise chains though.

  18. Rando

    Just a small note, the picture they used on their twitter account is…very incorrect. The file command uses file headers, which is why it says msi file, and it’s correct, because the top of the file is an msi file. The bug in the signature algorithm is that it stops after it verifies the msi file and it seems to do so because of the headers it sees and ignores the extension, but the file execution handler is based on the extension, not the headers.
    The reason why zip files being read from bottom to top is important is because prepending an msi file will not make a jar file invalid, but the ordering has nothing to do with how the file is executed. If you didn’t append the jar file, the jre would just say the file was invalid and it would not execute the msi file.

  19. MattK

    If MS isn’t going to bother to fix them and then stop reporting them, just release them directly to the wild.

    1. Hmm,

      The collateral damage from that approach could kill economies.

  20. Alex

    Some popular product installers use this “capability” to improve user experience for an installer… for example if you want to pass some sort of token to an installer it is allowed based on this mechanism . Quite a few companies use this trick that’s been around since 2000s to give you an install links (MSI or EXE for Windows) that automatically come logged in and know which user it is doing the install. Basically you sign your software with EV authenticode signature but you are allowed to append some data outside of the signed envelope. Everyone from Dropbox to GoToMeeting and many other conferencing solutions have used this for years and there are still legitimate reason for doing so.

    I assume Microsoft didn’t want to break compatibility for a lot of users very quickly. E.g Dropbox stopped doing this around a year or two ago but many still do it. Not sure if this patch breaks this or what…

  21. Someone

    So basically, the major vulnerability was that JAR files have no validation checking.

    The first two bytes of a ZIP (and by extension) and JAR files should always be “PK”.

    It would also be ridiculously easy to include malware scanner signatures to detect this. Probably why it was so low on the priority list.

  22. Neal Fildes

    simple deflection. taking after the cheeto in the white house

  23. Vince

    I’d say the reason MS waited is simple.. by waiting they got to avoid patching a massive bundle of OS versions that are now “not supported” and can also push the “you have to use 10 to be secure” mantra now they have released it in the hope of pushing another % of people over to the mess that is 10 (we’ll never release another version, expect all the versions of 10)

    1. Dukki7

      Lol, never fear, im sure W11 will be saas only. You wont need to worry about your data being stolen when giving it all to Microsoft becomes a required feature anyway.

  24. Dion

    Can’t redpill people enough to step away from Microsoft and use a different operating system rather than Windows because it’s full of holes and this proves it again

  25. Svein Terje

    Apparently, according to Security Now (podcast), the reason they did not fix it may have been that they are using it for themselves to append files relating to supporting different languages/cultures, but guess it’s just speculation.

  26. Dukki7

    Maybe people would trust Microsoft more if every single update didn’t reset all my privacy settings to open and reinstall Edge.

Comments are closed.