A safety error in the way Microsoft Windows protects users against malicious files was actively exploited in malware attacks for two years, when Microsoft finally released a software update to correct the problem.
One of the 120 vulnerabilities that Microsoft fixed on August 11’s Patch was CVE-2020-1464, a problem with the way each supported version of Windows applies to digital signatures for computer programs.
Code signing is the method of using a certificate-based digital signature to sign executable files and scripts to verify the identity of the author and to ensure that the code has not been altered or damaged since it was signed by the author .
Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features designed to prevent improperly signed files from being loaded. Microsoft’s advice does not mention security researchers who told the company about the bug, which Microsoft acknowledged were actively used.
In fact, CVE-2020-1464 was first detected in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness in the past 18 months.
Bernardo Quintero is the manager of VirusTotal, a service owned by Google that scans all submitted files against dozens of antivirus services and displays the results. On January 15, 2019, Quintero published a blog post explaining how Windows keeps the Authenticode signature valid after adding all content to the end of Windows Installer files (those ending in .MSI) signed by each software developer.
Quintero said this weakness would be particularly acute if an attacker used it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed discovered in a malware sample sent to VirusTotal.
In short, an attacker could add a malicious JAR to an MSI file signed by a trusted software developer (such as Microsoft Corporation, Google Inc., or any other known developer), and the resulting file could be renamed to the .jar extension and will have a valid signature according to Microsoft Windows, ”wrote Quintero.
But according to Quintero, although the security team validated Microsoft’s findings, the company did not currently choose to address the issue.
“Microsoft has decided that it will not fix this issue in the current versions of Windows and has agreed that we will be able to publicly blog about this issue and our findings,” his blog post concluded.
Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file that was uploaded to VirusTotal in August 2018 that abused the spoofing vulnerability, which has been named GlueBall. The last time the August 2018 file was corrupted on VirusTotal (14 Aug 2020), it was detected as a malicious Java Trojan by 28 of 59 antivirus programs.
More recently, others would also call attention to malware that exploited the security vulnerability, including this June 2020 post from the Security-in-bits blog.
Image: Securityinbits.com
Be’ery said the way Microsoft handled the vulnerability report seemed rather strange.
“It was very clear to everyone involved, including Microsoft, that GlueBall is indeed a valid vulnerability that has been exploited in the wild,” he wrote. “Therefore, it is not clear why it was placed alone now and not two years ago.”
When asked why he waited two years to patch a bug that was actively used to compromise the security of Windows computers, Microsoft dismissed the question, saying Windows users have the latest security updates applied are protected against this attack.
“A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We encourage customers to enable automatic updates to ensure they are protected. “
Update, 12:45 PM ET: Corrected attribution on the June 2020 blog post about GlueBall explosions in the wild.
Tags: Bernardo Quintero, CVE-2020-1464, GlueBall, Peleg Hadar, SafeBreach Labs, Securityinbits.com, Tal Be’ery, Zengo
This entry was posted on Monday, August 17th, 2020 at 12:05 pm and is filed under A Little Sunshine, Time to Patch. You can follow any comments on this topic via the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is not currently allowed.
