Offensive Security

GlueBall security gap was only closed after 2 years!

GlueBall security gap was only closed after 2 years!

A security hole that has been known since 2018 has now been closed. This vulnerability was called GlueBall by the two discoverers and was given the rating “Important” by Microsoft after it was ignored for 2 years.

GlueBall explosion already reported in 2018

The story around GlueBall (CVE-2020-1464) has already been summarized on the online platform Medium by security researcher Tal Be’ery. The first sample about this security hole was already uploaded on the platform VirusTotal on 08.05.2018.

The first GlueBall example on VirusTotal

The co-founder of the malware scanning service VirusTotal, Bernardo Quintero, discovered the GlueBall security hole as early as August 2018 and reported it to Microsoft immediately after he found it.

Long silence around CVE-2020-1464

After Quintero reported the vulnerability, nothing happened until January 2019, but on January 15, 2019 Quintero published a blog post which explains the GlueBall vulnerability technically. The issue is that attackers can attach a malicious JAR- to an MSI file. It is important that the MSI file has been signed by a trustworthy software developer so that it is accepted by the operating system.

After this composite file is given a .jar extension, the attacker has a malware file that has been signed. A JAR file is an archive (comparable to .zip) that contains Java executable code. At the end of this blog post Bernardo Quintero wrote that he has permission from Microsoft to report on this topic. Microsoft has decided not to fix this problem for the time being.

This blog post was followed by further posts by Be’ery and other IT security experts until this security hole was apparently forgotten and only came back into the spotlight in June 2020.

June 2020 – Return of GlueBall

Some researchers found with replace that the long known security hole GlueBall is still present in June 2020. The vulnerability got new attention because of a GlueBall exploit which was made public by a blog post on the page Securityinbits.

This post quickly gained popularity, so that well-known IT security researchers such as Brian Krebs, for example, wrote their own blog post on this topic.

Finally Microsoft decided to close the security hole and even classify it as “Important”. Microsoft did not respond to questions from various IT security experts as to why it took about 2 years to fix the vulnerability. Why the gap has now been closed can only be guessed, but the new hustle and bustle that has arisen since June will have contributed to this.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.