Security News > 2020 > August > Microsoft Put Off Fixing Zero Day for 2 Years
A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.
One of the 120 security holes Microsoft fixed on Aug. 11's Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.
Microsoft's advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.
Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack.
"A security update was released in August," Microsoft said in a written statement sent to KrebsOnSecurity.
News URL
https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/
Related news
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-1464 | Improper Verification of Cryptographic Signature vulnerability in Microsoft products A spoofing vulnerability exists when Windows incorrectly validates file signatures. | 0.0 |