One of the patches included in the August "Patch Tuesday" fixed the vulnerability CVE-2020-1464which allowed the conversion of MSI files into malicious Java executables while maintaining a legitimate digital signature. In essence, the problem was allowing an attacker to bypass security mechanisms and download incorrectly signed files.
This week experts from Zengo and SafeBreach Labs remindedthat this vulnerability can hardly be called new, since the problem was discovered two years ago. Moreover, initially Microsoft representatives stated that they would not fix this bug.
As it turned out, back in January 2019, VirusTotal specialist Bernardo Quintero publicly told about how in 2018 he found a malicious Java executable with a legitimate digital signature, which was downloaded and recognized by the VirusTotal Monitor service.
After examining the found file, the expert came to the conclusion that the malware is an MSI file with Java JAR added to it. As you can see in the screenshot below, although the MSI file was modified and renamed to a JAR file, Windows still believed it was signed with a valid Google certificate.
After examining the file, Quintero immediately reported it to Microsoft specialists (this happened on August 18, 2018), but the researcher was told that the company had no plans to fix the flaw.
“This attack vector has been tested on the latest and updated versions of Windows 10 and Java available at the time of writing (Windows 10 version 1809 and Java SE Runtime Environment 8 Update 191). Microsoft has decided that it will not address this issue in current versions of Windows and has given permission to share this case and our findings in a blog post, ”Quintero wrote in 2019.
Now, after the release of the patch for CVE-2020-1464, Windows no longer considers MSI files as signed if they have been modified by adding JARs. Below you can see how Windows 10 1909 (left) and the new Windows 10 2004 (right) react to such files below.
It is not known why it took Microsoft two years to fix this problem, and the name of Bernardo Quintero is not mentioned in the company's report. Microsoft representatives do not comment on the situation.