Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-1464

CVE-2020-1464: Windows 10 1507 Auth Bypass Vulnerability

CVE-2020-1464 is an authentication bypass spoofing flaw in Windows 10 1507 that allows attackers to load improperly signed files. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2020-1464 Overview

CVE-2020-1464 is a spoofing vulnerability that exists when Windows incorrectly validates file signatures. An attacker who successfully exploits this vulnerability can bypass security features and load improperly signed files. This vulnerability, sometimes referred to as "GlueBall," allows attackers to append malicious content to signed files while maintaining the original valid signature, effectively bypassing Windows code signing security controls.

Critical Impact

This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. It allows attackers to bypass Windows code signing verification, enabling the execution of malicious code that appears legitimately signed.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
  • Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
  • Microsoft Windows Server versions 1903, 1909, 2004

Discovery Timeline

  • August 17, 2020 - CVE-2020-1464 published to NVD
  • February 23, 2026 - Last updated in NVD database

Technical Details for CVE-2020-1464

Vulnerability Analysis

This vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). The flaw exists in how Windows validates Authenticode signatures on executable files. The vulnerability allows an attacker to append malicious content to a legitimately signed file without invalidating the digital signature.

The attack technique exploits a fundamental weakness in how Windows processes file signatures. When Windows verifies an Authenticode signature, it checks the signature against the signed portion of the file but does not properly validate that the entire file content is covered by the signature. This allows attackers to append additional data—such as a malicious JAR file—to the end of a signed executable.

The practical exploitation involves appending a malicious JAR archive to a signed MSI or other Windows executable. Since Java reads JAR files from the end of the file (as JAR files are ZIP format which stores the directory at the end), the malicious JAR code executes while Windows sees only the valid signature from the original signed file.

Root Cause

The root cause is improper verification of cryptographic signatures in the Windows Authenticode validation process. Windows fails to ensure that the digital signature covers the entire file content, allowing post-signature data appending. Specifically, the signature validation routine does not detect or invalidate files where additional content has been appended after the signed data section.

Attack Vector

The attack requires local access and involves an attacker crafting a malicious payload by appending unsigned malicious code to a legitimately signed Windows executable file. In an attack scenario:

  1. The attacker obtains a legitimately signed Windows file (MSI, PE executable)
  2. Malicious code (typically a JAR archive) is appended to the end of the signed file
  3. The combined file retains the valid digital signature from the original file
  4. When Windows validates the file, the signature check passes
  5. When the file is opened with Java or another interpreter that reads from the file end, the malicious payload executes

This technique has been observed in the wild appending malicious JAR files to signed MSI installers, allowing malware distribution that bypasses security tools checking for valid signatures.

Detection Methods for CVE-2020-1464

Indicators of Compromise

  • Executable files with abnormally large file sizes relative to their expected content
  • Files with valid Authenticode signatures that contain JAR/ZIP data appended after the signature
  • Legitimate signed MSI or PE files with unexpected trailing data past the signature boundary
  • Execution of Java processes spawned from signed Windows installers

Detection Strategies

  • Implement file integrity monitoring to detect modified signed executables in critical directories
  • Deploy endpoint detection rules that alert on Java execution spawned from Windows installer processes
  • Use security tools capable of detecting file content beyond the Authenticode signature boundary
  • Monitor for unusual file write operations that modify signed executables

Monitoring Recommendations

  • Enable Windows Event logging for code integrity and AppLocker events
  • Configure SentinelOne to monitor for process ancestry anomalies involving signed installers spawning script interpreters
  • Audit software installation directories for files with mismatched content types
  • Implement application whitelisting with strict hash validation

How to Mitigate CVE-2020-1464

Immediate Actions Required

  • Apply the Microsoft security update released in August 2020 immediately
  • Prioritize patching systems in CISA's Known Exploited Vulnerabilities catalog remediation timeline
  • Audit systems for files exhibiting signature/content mismatch patterns
  • Enable enhanced code integrity enforcement policies where possible

Patch Information

Microsoft has released security updates to address this vulnerability. The patch corrects how Windows validates file signatures by ensuring the signature validation process properly accounts for the entire file content. Organizations should apply updates available through Windows Update or the Microsoft Security Response Center advisory.

For detailed technical analysis of this vulnerability, refer to the Medium analysis by Tal Be'ery and the VirusTotal blog post documenting malicious JAR appending techniques observed in the wild.

Workarounds

  • Block execution of Java (JAR files) from Windows installer directories using application control policies
  • Implement strict AppLocker or Windows Defender Application Control (WDAC) policies that validate file hashes rather than just signatures
  • Configure endpoint protection to perform deep file inspection beyond signature validation
  • Restrict execution of files from user-writable locations
bash
# Example: Configure AppLocker to require hash validation
# Run in elevated PowerShell
Set-AppLockerPolicy -PolicyFilePath "C:\Policies\strict-hash-policy.xml" -Merge
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path "C:\Installers\*" -User Everyone

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne