Microsoft Was Conscious of Windows Zero-Day Since 2018, Fixed It in August

One of the security vulnerabilities which were fixed as part of the August 11 Patch Tuesday affects Windows 7, Windows 8.1, Windows 10, and several Windows Server versions, with Microsoft itself admitting it’s already seeing attacks happening in the wild.

It’s a spoofing vulnerability within the operating-system and documented in CVE-2020-1464, using the company itself admitting that hackers could eventually be able to load improperly signed files with a successful exploit.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. Within an attack scenario, an assailant could bypass security features meant to prevent improperly signed files from being loaded,” Microsoft said.

And while the software giant confirmed the bug was publicly disclosed and exploitation was already detected, it appears as though it had been conscious of its existence since 2018.

Windows 7 devices left exposed

KrebsOnSercurity reveals that the spoofing vulnerability was reported to Microsoft by Bernardo Quintero, the manager of VirusTotal, who confirmed the company itself validated his findings.

“Microsoft has decided that it’ll not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” said inside a article highlighted through the cited source.

Tal Be’ery, a security researcher and founding father of KZen Networks, also points to evidence that the flaw is discovered in the summer of 2018 and somehow Microsoft chose to not patch it at that time.

Microsoft, on the other hand, sidestepped an issue concerning the causes of waiting so far for a patch. However the worse thing is that Microsoft not releasing a fix in 2018 and waiting until August 2020 to solve the operating system flaw means Windows 7 devices, which themselves are exposed to attacks, are no longer obtaining the patch, as its support came to a close in January 2020.