As is usually the case, last week’s Patch Tuesday saw Microsoft squash plenty of bugs across its Windows platform. As always, the updates covered many versions of Windows 10. It seems one of the patches has ended the two-year-old GlueBall flaw for users.
According to reports, August Patch Tuesday includes a fix for a Windows 10 zero-day flaw that was first reported way back in 2018.
Specifically, in the CVE-2020-1464 fix, Microsoft plugged a hole across Windows versions to solve improper handling of file signatures. Microsoft confirms this fix in its release notes:
“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.”
Security research Tal Be’ery took to Medium to point out this vulnerability was first found in August 2018, exactly two years ago. It was found by VirusTotal manager Bernardo Quintero and the vulnerability is known as GlueBall.
Microsoft was told of the flaw at the time and following the standard 90-day period for the company to issue a fix, Quintero published his discovery (Jan. 2019).
What’s interesting is Microsoft knew about the zero-day, acknowledged it, give some mitigations, but decided not to issue a fix. In fact, the company said at the time it would not fix the problem. Redmond is usually quick to handle zero-day vulnerabilities for obvious reasons. It remains unclear why the company did not want to fix GlueBall at the time.
Security experts have spent the last two years highlighting how GlueBall can be exploited in the wild. For some reason, Microsoft has clearly had a change of heart. Whether the company didn’t see the flaw as a major threat but now does, or thought a fix would harm another feature, is unclear.
Either way, Microsoft has now issued a fix in Patch Tuesday. In the company’s security advisory, Microsoft says the fix covers Windows 7, 8, 8.1, RT, Server 2008, 2012, 2016, 2019, and all Windows 10 versions.
Speaking to KrebsonSecurity, Microsoft confirmed the fix but stuck to being vague on the reasons for the delay.
“A security update was released in August. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”