CVE-2020-1464: 
vulnerability analysis and mitigation

CVE-2020-1464, known as the Windows Spoofing Vulnerability or GlueBall, is a security flaw in Microsoft Windows' file signature validation system. The vulnerability was first discovered in August 2018 and was finally patched in August 2020. The flaw affects all supported versions of Windows and allows attackers to bypass security features when Windows incorrectly validates file signatures (Krebs Security, VirusTotal Blog).

The vulnerability exists in the MsiSIPVerifyIndirectData function used to verify Microsoft Installer (MSI) files. The flaw allows attackers to append malicious content to the end of signed MSI files while maintaining a valid Windows signature verification. This is particularly dangerous when combined with JAR files, as Java evaluates JAR files from their end, ignoring any prefix content, while MSI signature verification occurs from the start, ignoring any suffix content. The vulnerability has a CVSS 3.1 Base Score of 5.5 (MEDIUM) according to NIST NVD, while Microsoft rated it as 7.8 (HIGH) (Medium Blog).

An attacker who successfully exploits this vulnerability could bypass security features and load improperly signed files. The vulnerability allows malicious code to maintain a valid signature according to Microsoft Windows, potentially bypassing security solutions that rely on Windows code signing validation. This could lead to the execution of malicious code with elevated trust levels (CISA Alert).

Microsoft released a patch for this vulnerability in August 2020 as part of their Patch Tuesday updates. The fix involves updating how the MsiSIPVerifyIndirectData function validates file signatures, specifically adding checks for unexpected file size and content beyond the MSI portion. Users and administrators are advised to apply the latest security updates or enable automatic updates to protect against this vulnerability (Microsoft Advisory).

The security community expressed concern over Microsoft's delayed response to this vulnerability. Despite being informed about the issue in early 2019, Microsoft initially decided not to fix it, marking it as 'WONT FIX'. This decision was particularly controversial given that the vulnerability was being actively exploited. Security researchers and experts questioned why Microsoft waited two years to address a known zero-day vulnerability (Krebs Security).