Windows 10 October 2018 Update Hit by ZIP File Bug Spotted Months Before Release
Windows 10 October 2018 Update’s launch was rocky to say the least, with bugs popping up immediately after release, and one severe enough to delete user data upon installation. This caused Microsoft to suspend the rollout until it could fix the issue, and industry-wide outrage at the lack of quality control on part of the Redmond giant in fixing bugs that had already been spotted in preview stages. Now it appears Windows 10 October 2018 Update (aka Windows 10 version 1809) has been hit with another bug related to ZIP archives. In the meanwhile, a security researcher has publicly outed a zero-day vulnerability in Windows 10, Windows Server 2016, and Windows Server 2019. A patch for this vulnerability has yet to be rolled out by Microsoft.
First spotted by a Reddit user, the Windows 10 October 2018 Update contains a bug related to extracting/ pasting files from a ZIP archive when using the native Windows File Explorer tool. If a user tries to extract or paste a file (let’s say, gadgets360.jpg) from inside a ZIP archive into another folder containing another file with the same name (gadgets360.jpg), they will not be given an overwrite prompt. Instead, the destination folder file’s modified date changes, but the file is not replaced at all.
While this doesn’t sound as serious as the data-loss bug, and doesn’t actually overwrite the file, it is severe if one counts the use case where the original ZIP file is deleted by a user convinced they have replaced files. It also misleads users into believing there was no file in the destination folder that matched with files in the ZIP archive. Another Reddit user, who added that the bug also has the Windows File Explorer showing file transfer progress, corroborates the bug.
Notably, as was the case with the data-loss bug, a Windows Insider Preview tester had spotted the presence of ZIP file bug three months ago, and reported it to the Feedback Hub. However, thanks to just a few upvotes on the bug report (as was the case with the data-loss bug, ZDNet notes), it appears to have been overlooked by Microsoft when compiling the Windows 10 October 2018 Update. BleepingComputer adds that this bug was fixed in the Windows 10 Insider Preview Build 18234 (19H1) release that was pushed to testers a full month before the public rollout of the October 2018 Update. Unfortunately, this fix never made it to general users, but with a fix already in builds, one can expect Microsoft to patch it soon enough.
In light of the data-loss bug and how it was originally caught by testers but missed by Microsoft, the Redmond giant had published a short blog post on how it was changing the manner in which bugs could be reported in the Feedback Hub – bug reporters would now be able to add a severity rating. This, Microsoft hopes, would help ensure Windows 10 developers don’t miss out severe reports when fixing bugs in public releases. “We believe this will allow us to better monitor the most impactful issues even when feedback volume is low,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team said.
Next up, we have a new zero-day vulnerability reported by a security researcher who for now is just known by their Twitter handle – SandboxEscaper. It was publicly outed on Twitter on Tuesday, and this is not the first time that SandboxEscaper has found a zero-day Windows vulnerability and publicly outed it – the last time was less than two months ago. Microsoft acknowledged August’s bug report in a statement to ZDNet, and a fix was rolled out in the September 2018 Patch Tuesday update, but not before PowerPool group used it in a malware distribution campaign.
Getting back to Tuesday’s zero-day vulnerability disclosure by SandboxEscaper, a GitHub proof-of-concept has also been published alongside. The bug affects the Microsoft Data Sharing service, known as dssvc.dll in Windows 10, Windows Server 2016, and Windows Server 2019. The vulnerability allows attackers to elevate privileges on a machine they already have access to. While the proof-of-concept exploit only details how an attacker can delete files they don’t have permission to, the exploit could be modified to let attackers perform more actions, ZDNet cites several security experts to say. While Microsoft has yet to comment on this latest bug report, such a public disclosure may once again give bad actors a chance to weaponise it into malware campaigns before Microsoft can patch it. A security company called 0patch has in the meanwhile released a micropatch for the vulnerability, which could be used by concerned users before an official fix is released.