GlueBall: The story of CVE-2020–1464

a “spoofing” bug in virtually all supported versions of Windows

GlueBall Timeline

August 2018: A GlueBall sample was uploaded to VirusTotal

GlueBall explained

The VerifyIndirectData function is used to verify the integrity of a specific file format (source: SpecterOps)
Patched MsiSIPVerifyIndirectData() verifies the file’s size too (source: Peleg’s twitter)
Same GlueBall file: digital signature valid on an unpatched computer, but invalid on a patched computer

Parting thoughts



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store