Microsoft Put Off Fixing Zero Day for 2 Years

2020-08-17 04:05

A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem.

One of the 120 security holes Microsoft fixed on Aug. 11's Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs.

Microsoft's advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited.

Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack.

"A security update was released in August," Microsoft said in a written statement sent to KrebsOnSecurity.

News URL

https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/

#microsoft #zeroday #CVE-2020-1464

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2020-08-17	CVE-2020-1464	Improper Verification of Cryptographic Signature vulnerability in Microsoft products A spoofing vulnerability exists when Windows incorrectly validates file signatures. microsoft CWE-347	0.0

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Microsoft		365	49	1366	2822	162	4399

News URL

Related news

Related Vulnerability

Related vendor