loader image

What We Know About the Microsoft Zero-Day Exploit “Glueball”

Microsoft released an unusually high number of patches across its products in the last several months. This includes patches to the Windows family of operating systems, which researchers say have had a major vulnerability left unaddressed for two years.

CVE-2020-1464, also known as Glueball, exploits a flaw in the cryptographic methods used in Windows’ application trust system. When Windows users attempt to install applications using a .msi installer, Windows scans the installer and computes a signature, which it compares to a digital certificate to tell the user whether the installer comes from a trusted source or not. The major flaw in this system is that while signature computation is calculated by reading the file front to back, code execution happens back to front, allowing attackers to “glue” Java code to the back of the file. Because appending files to the end of an installer doesn’t invalidate its digital signature, modified installers can pass the trust check even if they contain a malicious payload on the far end of the file.

How have threat actors used the Glueball zero-day exploit?

This attack can be used to do almost anything, as long as a user can be tricked into executing the modified application installer. Any payload that can be implemented in a Java .jar file can be dropped with this exploit. The extent of damage due to Glueball is not yet known, but since the original report in 2018 to VirusTotal was taken from organically discovered malware, it is possible that hackers have been exploiting Glueball for longer than 2 years.

Microsoft released patches to protect against the Glueball vulnerability on August 11, 2020. However, researcher Bernardo Quintero of VirusTotal, who analyzed the vulnerability in 2018 says Microsoft Security Response Center confirmed his findings in January 2019, but decided to take no action. It is unclear why Microsoft gave permission for researchers to post publicly about the discovery a year and a half before patching this vulnerability. Perhaps it is even more surprising that they initially announced they had no plans to patch it at all.

Are you protected from the Glueball zero-day exploit?

To protect yourself from Glueball attacks, you should perform Windows Update on all devices running Windows. Affected operating systems include Windows 7, 8.1, RT 8.1, 10, Windows Server 2008, 2012, 2016, and 2019. Windows 7 and Windows Server 2008 have already been dropped from Microsoft’s support schedule and will not receive a patch. As always, your best defense against cyberattacks is a comprehensive security strategy that combines multiple independent layers of protection, including vigilant Internet hygiene. But the only protection against zero-day exploits is to find them before they find you. Our breach and attack simulation platform rAPTOR tests your enterprise’s ability to thwart cyberattacks, including new zero-day exploits our researchers develop. Breach and attack simulation adds another layer of security to your enterprise by measuring how effective your current security controls are at detecting and thwarting attacks. With our library of threat artifacts at your disposal, you can test your enterprise for strength against attacks which pose the greatest threat to your goals.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.