Microsoft took two years to fix a Windows critical security vulnerability

In  January 2019, a security researcher discovered a vulnerability in the Windows system signature verification. This vulnerability was subsequently submitted to Microsoft and confirmed by Microsoft.

This vulnerability was later assigned the vulnerability number CVE-2020-1464. The official Microsoft rating of this security vulnerability is serious, with a CVSS score of 5.3.

It is worth noting that Microsoft only fixed the vulnerability in its routine security update in August 2020. The company did not explain why it took two years to fix it.

After the vulnerability was repaired, the researchers issued an article criticizing Microsoft because the vulnerability had been exploited long ago and Microsoft exposed hundreds of millions of users at risk.

A digital signature is a security strategy commonly used by operating system and software developers. Digital signatures can be used to ensure that software packages are not tampered with to gain the trust of the system.

If the software package is tampered with, the signature will automatically become invalid. In some special areas, it will not be released without a digital signature, because only trusted software can be installed.

The vulnerability discovered by the researchers is to make signature verification useless. Hackers embed malicious Java packages (.jar) into legitimate software but do not destroy digital signatures.

Therefore, hackers can pretend to be any well-known developers such as Microsoft and Google, tamper with their software packages, load malicious codes, and then conduct phishing through online channels.

When the researchers notified Microsoft two years ago, Microsoft had already informed the researchers that the vulnerability was exploited in the wild, posing a high-security risk to users and systems.