This induced Microsoft to suspend the rollout till it might repair the matter, and industry-wide outrage in the lack of quality control within the Redmond giant in fixing bugs which had been spotted in trailer stages. It appears Windows 10 October 2018 Update (aka Windows 10 variant 1809) has been struck with another bug related to ZIP archives. At the meanwhile, a security researcher has publicly outed a zero-day vulnerability in Windows 10, Windows Server 2016, and Windows Server 2019. A patch for this vulnerability has not yet been rolled out by Microsoft. First seen with a Reddit user, the Windows 10 October 2018 Update includes a bug associated with extracting/ pasting files from a ZIP archive when using the native Windows File Explorer tool. When a user tries to extract or paste a document (let us say, gadgets360.jpg) from inside a ZIP archive into another folder containing a different file with the exact same title (gadgets360.jpg), they will not be granted an overwrite prompt. Rather, the destination folder file’s modified date changes, however, the file isn’t replaced in any way.
While this does not seem as serious as the data-loss bug, and doesn’t actually overwrite the file, it is acute if one counts the use case where the first ZIP file is deleted by a user certain that they have replaced documents. Additionally, it divides users into thinking there was no record in the folder which matched with files in the ZIP archive. Another Reddit user, that added the bug also gets the Windows File Explorer showing file transfer advancement, corroborates the bug.
Especially, as had been the situation with all the data-loss bug, a Windows Insider Preview tester had seen the presence of ZIP file bug three months ago, and reported it to the Feedback Hub. But thanks to just a few upvotes on the bug report (as had been the case with the data-loss bug, ZDNet notes), it seems to have been overlooked by Microsoft when compiling the Windows 10 October 2018 Update. BleepingComputer adds that this bug had been fixed in the Windows 10 Insider Preview Build 18234 (19H1) release that has been pushed to testers a full month before the public rollout of the October 2018 Update. Unfortunately, this fix never made it to general users, but with a fix already in builds, one can expect Microsoft to patch it soon enough.
In light of the data-loss bug and how it was originally captured by testers but missed by Microsoft, the Redmond giant had released a short blog post on how it was altering the manner in which bugs might be reported at the Feedback Hub – insect terrorists would currently have the ability to add a severity rating. This, Microsoft hopes, would help ensure Windows 10 developers do not overlook intense reports when fixing bugs in public releases. “We believe this enables us to better track the most impactful issues even when feedback quantity is low,” Brandon LeBlanc, Senior Program Manager on the Windows Insider Program Team said.
Next up, we’ve got a new zero-day vulnerability reported by a security researcher who for today is only known by their own Twitter manage – SandboxEscaper. It was publicly outed on Twitter on Tuesday, and this isn’t the first time that SandboxEscaper has discovered a zero-day Windows vulnerability and publicly outed it the last time was less than two weeks past . Microsoft confessed August’s bug report in a announcement to ZDNet, and a repair was rolled out from the September 2018 Patch Tuesday update, but maybe not before PowerPool group utilized it at a malware distribution effort.
The bug affects the Microsoft Data Sharing service, known as dssvc.dll from Windows 10, Windows Server 2016, and Windows Server 2019. The vulnerability allows attackers to elevate privileges on a machine they have access to. Though the proof-of-concept exploit just details how the attacker can delete files they do not have permission to, the exploit could be altered to let attackers perform more actions, ZDNet cites several security specialists to say. While Microsoft has yet to comment on this newest bug report, such a public disclosure could once more give poor actors a opportunity to weaponise it into malware attempts before Microsoft can spot it. A security company called 0patch has in the released a micropatch for the vulnerability, which might be used by concerned users prior to an official fix has been released.