Skip to content

GlueBall Vulnerability (CV-2020-1464)

Microsoft finally patched a zero-day that has existed for years named “GlueBall” (CV-2020-1464: Windows Spoofing Vulnerability). A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load maliciously signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures.

Authenticode is Microsoft’s in-house code-signing technology for ensuring that an app or driver comes from a known and trusted source and hasn’t been tampered with by anyone else. Because they modify the OS kernel, drivers can be installed on Windows 10 and Server 2019 only when they bear one of these cryptographic signatures. On earlier Windows versions, digital signatures still play an important role in helping AV and other protections to detect malicious wares.

Digitally signed files are more trusted by the Operating System. This higher trust allows such files to execute in sensitive contexts or excluded from Antivirus scans. Consequently, attackers are trying to spoof these digital certificates to gain these extended privileges for their malicious code. Attackers attempt to bypass this protection by signing their malware with a valid certificate stolen from a legitimate provider. The security patch listed below prevents this from happening.


  • August 2018: A“GlueBall”sample was uploaded to (VirusTotal is a site that analyzes potentially malicious files and websites)
  • January 2019: VirusTotal published an analysis of GlueBall core issue, after Microsoft understood the issue, added some support to it on external tools, but Microsoft decided the would not fix this for the current version of Windows.
  • January 2019:Following the VirusTotal blog, posts on using GlueBall to hide malicious content were published.
  • June 2020:Following some in the wild exploitation with popular malware,GlueBall was “re-discovered”and highlighted by social media
  • August 2020:Microsoft patched GlueBall, 2 years after it was first discovered in the wild.


  • VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.

Operating Systems

  • Windows 7, 8.1, 10
  • Windows Server 2008, 2012, 2016, 2019