Microsoft knew a 0day from 2018 and fixed it in 2020

One of the security vulnerabilities fixed on Tuesday 11 August (Patch Tuesday) affects Windows 7, .1, Windows 10 και αρκετές εκδόσεις του Windows Server και η ίδια η Microsoft έχει αναφέρει ότι έχει δει επιθέσεις που χρησιμοποιούν αυτό το ελάττωμα.

It is a forgery vulnerability in the operating system and documented in CVE-2020-1464.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass them security and load files that are not properly signed. In an attack scenario, an attacker could bypass security features to prevent improperly signed files from being loaded," Microsoft said.

Η knew that the works and that it has been publicly revealed since 2018.

KrebsOnSercurity reveals that the forgery vulnerability was reported to Microsoft by Bernardo Quintero, director of VirusTotal.

"Microsoft has decided not to resolve this issue in the current versions of Windows and has agreed that we may publish this exploit." refers in Virus Total.

Tal Be'ery, security researcher and founder of KZen Networks, also points out that the flaw was discovered in the summer of 2018 and somehow Microsoft decided not to fix it.

Microsoft, on the other hand, does not answer why it left them for so long of its customers exposed since 2018 and waiting until August 2020 to resolve the flaw.

Note that devices running Windows 7, which are themselves exposed to the same attack, will not be updated as support expired in January 2020.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).