14 DAY TRIAL // One of the security vulnerabilities that were fixed as part of the August 11 Patch Tuesday affects Windows 7, Windows 8.1, Windows 10, and several Windows Server versions, with Microsoft itself admitting it’s already seeing attacks happening in the wild.
It’s a spoofing vulnerability in the operating system and documented in CVE-2020-1464, with the company itself admitting that hackers could eventually be able to load improperly signed files with a successful exploit.
“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded,” Microsoft said.
And while the software giant confirmed that the bug was publicly disclosed and exploitation has already been detected, it looks like it was aware of its existence since 2018.
Windows 7 devices left exposed
KrebsOnSercurity reveals that the spoofing vulnerability was reported to Microsoft by Bernardo Quintero, the manager of VirusTotal, who confirmed that the company itself validated his findings.
“Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” said in a blog post highlighted by the cited source.
Tal Be’ery, a security researcher and founder of KZen Networks, also points to evidence that the flaw was discovered in the summer of 2018 and somehow Microsoft decided to not patch it at that point.
Microsoft, on the other hand, sidestepped a question regarding the reasons for waiting until now for a patch. But the worse thing is that Microsoft not releasing a fix in 2018 and waiting until August 2020 to resolve the operating system flaw means Windows 7 devices, which themselves are exposed to attacks, are no longer getting the patch, as its support came to an end in January 2020.