CVE-2020-1464, a security flaw in Windows was out in the open for two years and most importantly, Microsoft knew about it. Yet, the company delayed issuing a patch for Windows users.Â
Microsoft announced fixes to 120 vulnerabilities last week as part of their monthly Patch Tuesday for August. The patch made several Microsoft products much safer to work with, but one particular vulnerability CVE-2020-1464Opens a new window has caught the eye of the tech sphere. CVE-2020-1464 is a zero-day spoofing vulnerability that could validate incorrect, maybe malicious file signatures. It allows threat actors to bypass the Microsoft Windows’ safeguards to load malicious data files patched on to microsoft installer (.MSI) files.
The vulnerability was originally discovered in August 2018 by VirusTotalOpens a new window , with a follow up analysisOpens a new window by Bernardo QuinteroOpens a new window , the company’s General Manager. Despite the report, and a formal collaboration between Quintero and Microsoft Security Response Center, the Redmond-based tech behemoth did not issue a fix for two years, until now. This seems quite odd considering the seriousness of the vulnerability available in the wild, ready to be exploited.
Quintero wrote, â€œMicrosoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly.â€
CVE-2020-1464 makes use of a bug in the code signing process implemented in Microsoft Windows. Code signing is a method of authenticating software and maintaining its integrity by verifying the author of a software or a program. The process ensures that the software has not been tampered with since the author last signed it.Â
Microsoft explainedOpens a new window , â€œThe vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.â€
Quintero wrote that an attacker could append a malicious Java (JAR) file at the end of the signed MSI file. This file is concealed since MsiSIPVerifyIndirectData verification checks and authenticates only the beginning of the MSI file.Â
Quintero explained, â€œIn short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows.â€
â€œAttackers could append any data they want to the end of a signed MSI, and still have this file considered as verified by Windows. This trust bypass was made exploitable by appending a Java JAR executable to the end of the MSI. JAR files are evaluated from their end, thus creating a perfect malicious tandem:
- JAR execution is evaluated from file end, ignoring a possible prefix.
- MSI signatures verification is from file start, ignoring a possible suffix,â€ added Tal Be’eryOpens a new window , Co-Founder of ZenGo and Peleg HadarOpens a new window , Senior Security Researcher at SafeBreach.
Hadar tweeted about a fix with which he patched a system, and deemed it to be â€˜pretty simple’.
Be’ery explains that the patched MsiSIPVerifyIndirectData now checks size of the MSI file.
The duo used patch and diffOpens a new window to verify the solution and could generate expected results. As shown in the gif below, CVE-2020-1464 is returned as invalid and valid on unpatched and patched systems respectively.Â
When quizzed why it took two years to fix CVE-2020-1464, Microsoft told KrebsOnSecurity: â€œA security update was released in August. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected,â€ effectively side-stepping the question.