Windows 10 October 2018 Update’s Launching was Rugged to say the least, with bugs popping up immediately after Launch, and one severe enough to delete user Information upon Installment .
This caused Microsoft to suspend the rollout till it could fix the issue, and industry-wide outrage at the lack of quality control within the Redmond giant in fixing bugs that had been spotted in preview stages. It seems Windows 10 October 2018 Update (aka Windows 10 version 1809) has been hit with another bug related to ZIP archives. In the meanwhile, a security researcher has publicly outed a zero-day vulnerability in Windows 10, Windows Server 2016, and Windows Server 2019. A patch for this vulnerability has yet to be rolled out by Microsoft.
First seen by a Reddit user, the Windows 10 October 2018 Update includes a bug associated with pulling / pasting files from a ZIP archive while using the native Windows File Explorer tool. If a user attempts to extract or glue a document (let us say, gadgets360.jpg) from inside a ZIP archive into a different folder containing another file with the same title (gadgets360.jpg), they won’t be given an overwrite prompt. Instead, the destination folder file’s modified date changes, however, the file isn’t replaced at all.
While this does not sound as serious as the data-loss bug, and doesn’t actually overwrite the document, it is severe if one counts the use case where the original ZIP file is deleted by a user convinced they have replaced files. Additionally, it misleads users into believing there wasn’t any record in the folder which matched with files from the ZIP archive. The other Reddit user, who added the insect also has the Windows File Explorer showing file transfer advancement, corroborates the insect.
Notably, as had been the case with the data-loss insect, a Windows Insider Preview tester had seen the presence of ZIP file bug three months past, and reported it to the Feedback Hub. However, thanks to just several upvotes on the bug report (as was the situation with all the data-loss bug, ZDNet notes), it seems to have been missed by Microsoft when compiling the Windows 10 October 2018 Update. BleepingComputer adds this bug was fixed in the Windows 10 Insider Preview Build 18234 (19H1) launch that was pushed to testers a full month before the public rollout of the October 2018 Update. Sadly, this fix never made it to general users, but with a fix in builds, an individual can expect Microsoft to patch it soon enough.
In light of the data-loss bug and how it was originally caught by testers but missed by Microsoft, the Redmond giant had released a brief blog article on how it was changing the way bugs could be reported at the Feedback Hub – bug reporters would now have the ability to put in a severity rating. This, Microsoft hopes, would help guarantee Windows 10 developers don’t miss out severe reports when repairing bugs in people releases. “We believe this enables us to better track the most impactful issues even when comments quantity is reduced,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team explained.
Next up, we have a fresh zero-day vulnerability reported by a security researcher for now is only known by their own Twitter manage – SandboxEscaper. It was publicly outed on Twitter on Tuesday, also this isn’t the first time that SandboxEscaper has discovered a zero-day Windows vulnerability and publicly outed it – the last time was less than two months ago. Microsoft acknowledged August’s bug report at a announcement to ZDNet, and a repair was rolled out from the September 2018 Patch Tuesday update, although maybe not before PowerPool group used it at a malware distribution effort.
The vulnerability allows attackers to elevate privileges on a machine that they already have access to. Though the proof-of-concept exploit just details how an attacker may delete files they don’t have permission to, the exploit could be altered to let attackers perform more actions, ZDNet cites many safety specialists to say. Even though Microsoft has yet to comment on this newest bug report, this type of public disclosure could once again give poor actors a chance to weaponise it into malware attempts before Microsoft can spot it. A security firm called 0patch has in the meanwhile released that a micropatch for the vulnerability, which could be used by concerned users before an official fix is released.