Security News > 2020 > October > Microsoft fixes Windows certificate spoofing bug abusing CAT files
Microsoft's October 2020 Patch Tuesday fixed 87 security bugs, one of which is an "Important" Windows Spoofing Vulnerability that abuses CAT files.
The flaw allows an attacker to combine a legitimately signed Microsoft Windows Installer package with the attacker's JAR file into an encapsulating JAR file.
"A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files," Microsoft's CVE-2020-16922 advisory states.
In a private Microsoft enterprise security advisory shared with BleepingComputer, Microsoft explains that yesterday's update extends August's CVE-2020-1464 to include Microsoft catalog files, which can also be signed with a digital signature.
"Malware authors have exploited this vulnerability by crafting polyglot malware, combining multiple file types to produce a new merged type. More specifically, they have used validly signed MSI or CAT files from Microsoft and other software publishers, combining them with malicious Java archives and files to take full advantage of the way JAR files are read," the advisory further continued.
News URL
Related news
- Microsoft lifts Windows 11 24H2 block on PCs with USB scanners (source)
- Microsoft says Auto HDR causes game freezes on Windows 11 24H2 (source)
- Microsoft adds another problem to the Windows 11 24H2 naughty list (source)
- Microsoft may have scrapped Windows 11's dynamic wallpapers feature (source)
- Microsoft to force install new Outlook on Windows 10 PCs in February (source)
- Microsoft 365 apps crash on Windows Server after Office update (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- Microsoft ends support for Office apps on Windows 10 in October (source)
- Microsoft expands testing of Windows 11 admin protection feature (source)
- Microsoft starts force upgrading Windows 11 22H2, 23H3 devices (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-16 | CVE-2020-16922 | Improper Verification of Cryptographic Signature vulnerability in Microsoft products <p>A spoofing vulnerability exists when Windows incorrectly validates file signatures. | 0.0 |
| 2020-08-17 | CVE-2020-1464 | Improper Verification of Cryptographic Signature vulnerability in Microsoft products A spoofing vulnerability exists when Windows incorrectly validates file signatures. | 0.0 |