Security hole

GlueBall security gap was only closed after 2 years!

GlueBall security gap was only closed after 2 years!

A security hole that has been known since 2018 has now been closed. This vulnerability was called GlueBall by the two discoverers and was given the rating “Important” by Microsoft after it was ignored for 2 years.

GlueBall explosion already reported in 2018

The story around GlueBall (CVE-2020-1464) has already been summarized on the online platform Medium by security researcher Tal Be’ery. The first sample about this security hole was already uploaded on the platform VirusTotal on 08.05.2018.

The first GlueBall example on VirusTotal

The co-founder of the malware scanning service VirusTotal, Bernardo Quintero, discovered the GlueBall security hole as early as August 2018 and reported it to Microsoft immediately after he found it.

Long silence around CVE-2020-1464

After Quintero reported the vulnerability, nothing happened until January 2019, but on January 15, 2019 Quintero published a blog post which explains the GlueBall vulnerability technically. The issue is that attackers can attach a malicious JAR- to an MSI file. It is important that the MSI file has been signed by a trustworthy software developer so that it is accepted by the operating system.

After this composite file is given a .jar extension, the attacker has a malware file that has been signed. A JAR file is an archive (comparable to .zip) that contains Java executable code. At the end of this blog post Bernardo Quintero wrote that he has permission from Microsoft to report on this topic. Microsoft has decided not to fix this problem for the time being.

This blog post was followed by further posts by Be’ery and other IT security experts until this security hole was apparently forgotten and only came back into the spotlight in June 2020.

June 2020 – Return of GlueBall

Some researchers found with replace that the long known security hole GlueBall is still present in June 2020. The vulnerability got new attention because of a GlueBall exploit which was made public by a blog post on the page Securityinbits.

This post quickly gained popularity, so that well-known IT security researchers such as Brian Krebs, for example, wrote their own blog post on this topic.

Finally Microsoft decided to close the security hole and even classify it as “Important”. Microsoft did not respond to questions from various IT security experts as to why it took about 2 years to fix the vulnerability. Why the gap has now been closed can only be guessed, but the new hustle and bustle that has arisen since June will have contributed to this.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.