GlueBall security gap was only closed after 2 years!

M.Sc. Jan Hörnemann

GlueBall security gap was only closed after 2 years!

A security hole that has been known since 2018 has now been closed. This vulnerability was called GlueBall by the two discoverers and was given the rating “Important” by Microsoft after it was ignored for 2 years.

GlueBall explosion already reported in 2018

The story around GlueBall (CVE-2020-1464) has already been summarized on the online platform Medium by security researcher Tal Be’ery. The first sample about this security hole was already uploaded on the platform VirusTotal on 08.05.2018.

The first GlueBall example on VirusTotal

The co-founder of the malware scanning service VirusTotal, Bernardo Quintero, discovered the GlueBall security hole as early as August 2018 and reported it to Microsoft immediately after he found it.

Long silence around CVE-2020-1464

After Quintero reported the vulnerability, nothing happened until January 2019, but on January 15, 2019 Quintero published a blog post which explains the GlueBall vulnerability technically. The issue is that attackers can attach a malicious JAR- to an MSI file. It is important that the MSI file has been signed by a trustworthy software developer so that it is accepted by the operating system.

After this composite file is given a .jar extension, the attacker has a malware file that has been signed. A JAR file is an archive (comparable to .zip) that contains Java executable code. At the end of this blog post Bernardo Quintero wrote that he has permission from Microsoft to report on this topic. Microsoft has decided not to fix this problem for the time being.

This blog post was followed by further posts by Be’ery and other IT security experts until this security hole was apparently forgotten and only came back into the spotlight in June 2020.

June 2020 – Return of GlueBall

Some researchers found with replace that the long known security hole GlueBall is still present in June 2020. The vulnerability got new attention because of a GlueBall exploit which was made public by a blog post on the page Securityinbits.

This post quickly gained popularity, so that well-known IT security researchers such as Brian Krebs, for example, wrote their own blog post on this topic.

Finally Microsoft decided to close the security hole and even classify it as “Important”. Microsoft did not respond to questions from various IT security experts as to why it took about 2 years to fix the vulnerability. Why the gap has now been closed can only be guessed, but the new hustle and bustle that has arisen since June will have contributed to this.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)