GlueBall Vulnerability (CV-2020-1464)
Microsoft finally patched a zero-day that has existed for years named “GlueBall” (CV-2020-1464: Windows Spoofing Vulnerability). A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load maliciously signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded. The update addresses the vulnerability by correcting how Windows validates file signatures.
Authenticode is Microsoft’s in-house code-signing technology for ensuring that an app or driver comes from a known and trusted source and hasn’t been tampered with by anyone else. Because they modify the OS kernel, drivers can be installed on Windows 10 and Server 2019 only when they bear one of these cryptographic signatures. On earlier Windows versions, digital signatures still play an important role in helping AV and other protections to detect malicious wares.
Digitally signed files are more trusted by the Operating System. This higher trust allows such files to execute in sensitive contexts or excluded from Antivirus scans. Consequently, attackers are trying to spoof these digital certificates to gain these extended privileges for their malicious code. Attackers attempt to bypass this protection by signing their malware with a valid certificate stolen from a legitimate provider. The security patch listed below prevents this from happening.
Timeline
- August 2018: A“GlueBall”sample was uploaded to VirusTotal.com (VirusTotal is a site that analyzes potentially malicious files and websites)
- January 2019: VirusTotal published an analysis of GlueBall core issue, after Microsoft understood the issue, added some support to it on external tools, but Microsoft decided the would not fix this for the current version of Windows.
- January 2019:Following the VirusTotal blog, posts on using GlueBall to hide malicious content were published.
- June 2020:Following some in the wild exploitation with popular malware,GlueBall was “re-discovered”and highlighted by social media
- August 2020:Microsoft patched GlueBall, 2 years after it was first discovered in the wild.
Definition
- VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.
Operating Systems
- Windows 7, 8.1, 10
- Windows Server 2008, 2012, 2016, 2019
Solution
- Organizations should patch this as soon as possible. For Microsoft security update please URLbelow.-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464
Recent Posts
Posts by Month
- November 2024 (1)
- October 2024 (1)
- August 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- October 2023 (1)
- February 2023 (1)
- November 2021 (2)
- October 2021 (1)
- December 2020 (2)
- November 2020 (2)
- October 2020 (4)
- September 2020 (1)
- August 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2018 (1)
- March 2018 (5)
- February 2018 (3)
- January 2018 (5)
- December 2017 (3)
- November 2017 (3)
- October 2017 (6)
- May 2017 (1)
- January 2016 (3)
- November 2015 (1)
- October 2015 (1)