This induced Microsoft into suspend the rollout till it could fix the matter, and industry-wide outrage in the lack of quality control on part of the Redmond giant in repairing bugs which had been seen in trailer stages. It seems Windows 10 October 2018 Update (aka Windows 10 version 1809) was struck with another bug related to ZIP archives. A patch for this vulnerability has not yet been rolled out by Microsoft. First spotted by a Reddit user, the Windows 10 October 2018 Update includes a bug associated with extracting/ pasting files from a ZIP archive when using the native Windows File Explorer tool. When a user tries to extract or glue a file (let’s say, gadgets360.jpg) from within a ZIP archive into a different folder containing a different file with the same title (gadgets360.jpg), they won’t be granted an overwrite prompt. Rather, the destination folder file’s modified date changes, however, the file is not replaced in any way.
While this does not seem as serious as the data-loss bug, and doesn’t actually overwrite the document, it is severe if one counts the usage case where the first ZIP file is deleted by a user convinced they have replaced files. It also divides users into thinking there wasn’t any record in the destination folder that matched with files in the ZIP archivefile. Another Reddit user, who added that the bug also gets the Windows File Explorer showing file transfer progress, corroborates the bug.
Especially, as had been the case with all the data-loss insect, a Windows Insider Preview tester had seen the existence of ZIP file bug three months past, and reported it to the Feedback Hub. However, thanks to only several upvotes on the bug report (as had been the situation with the data-loss bug, ZDNet notes), it seems to have been overlooked by Microsoft after compiling the Windows 10 October 2018 Update. BleepingComputer adds this bug had been fixed in the Windows 10 Insider Preview Build 18234 (19H1) release that has been pushed to testers a complete month prior to the public rollout of this October 2018 Update.
In light of the data-loss bug and the way it was initially captured by testers but missed by Microsoft, the Redmond giant had released a short blog post about how it was changing the way bugs might be reported in the Feedback Hub – bug reporters would now have the ability to add a severity score. This, Microsoft hopes, would help ensure Windows 10 developers don’t overlook severe reports when repairing bugs in public releases. “We believe that this will allow us to better monitor the most demanding issues even when feedback quantity is low,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team said.
Next up, we have a fresh zero-day vulnerability reported by a security researcher for now is only known by their own Twitter manage – SandboxEscaper. It was publicly outed on Twitter on Tuesday, also this isn’t the first time that SandboxEscaper has found a zero-day Windows vulnerability and publicly outed it – the last time was less than two months ago. Microsoft acknowledged August’s bug report in a statement to ZDNet, along with a fix was rolled out from the September 2018 Patch Tuesday upgrade , but not before PowerPool group utilized it in a malware distribution effort.
The bug affects the Microsoft Data Sharing support, known as dssvc.dll from Windows 10, Windows Server 2016, and Windows Server 2019. The vulnerability permits attackers to elevate privileges on a machine that they have access to. Though the proof-of-concept exploit only details how an attacker can delete files they do not have permission to, the exploit could be modified to let attackers perform more actions, ZDNet cites several security specialists to state. While Microsoft has yet to comment on this latest bug report, this type of public disclosure may once again give bad actors a chance to weaponise it in to malware campaigns before Microsoft can patch it. A security company called 0patch has in the meanwhile released that a micropatch for the vulnerability, which could be used by concerned users prior to the official fix is released.