CVE-2020-1464 Overview
CVE-2020-1464 is a spoofing vulnerability that exists when Windows incorrectly validates file signatures. An attacker who successfully exploits this vulnerability can bypass security features and load improperly signed files. This vulnerability, sometimes referred to as "GlueBall," allows attackers to append malicious content to signed files while maintaining the original valid signature, effectively bypassing Windows code signing security controls.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog. It allows attackers to bypass Windows code signing verification, enabling the execution of malicious code that appears legitimately signed.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1709, 1803, 1809, 1903, 1909, 2004)
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019
- Microsoft Windows Server versions 1903, 1909, 2004
Discovery Timeline
- August 17, 2020 - CVE-2020-1464 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2020-1464
Vulnerability Analysis
This vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). The flaw exists in how Windows validates Authenticode signatures on executable files. The vulnerability allows an attacker to append malicious content to a legitimately signed file without invalidating the digital signature.
The attack technique exploits a fundamental weakness in how Windows processes file signatures. When Windows verifies an Authenticode signature, it checks the signature against the signed portion of the file but does not properly validate that the entire file content is covered by the signature. This allows attackers to append additional data—such as a malicious JAR file—to the end of a signed executable.
The practical exploitation involves appending a malicious JAR archive to a signed MSI or other Windows executable. Since Java reads JAR files from the end of the file (as JAR files are ZIP format which stores the directory at the end), the malicious JAR code executes while Windows sees only the valid signature from the original signed file.
Root Cause
The root cause is improper verification of cryptographic signatures in the Windows Authenticode validation process. Windows fails to ensure that the digital signature covers the entire file content, allowing post-signature data appending. Specifically, the signature validation routine does not detect or invalidate files where additional content has been appended after the signed data section.
Attack Vector
The attack requires local access and involves an attacker crafting a malicious payload by appending unsigned malicious code to a legitimately signed Windows executable file. In an attack scenario:
- The attacker obtains a legitimately signed Windows file (MSI, PE executable)
- Malicious code (typically a JAR archive) is appended to the end of the signed file
- The combined file retains the valid digital signature from the original file
- When Windows validates the file, the signature check passes
- When the file is opened with Java or another interpreter that reads from the file end, the malicious payload executes
This technique has been observed in the wild appending malicious JAR files to signed MSI installers, allowing malware distribution that bypasses security tools checking for valid signatures.
Detection Methods for CVE-2020-1464
Indicators of Compromise
- Executable files with abnormally large file sizes relative to their expected content
- Files with valid Authenticode signatures that contain JAR/ZIP data appended after the signature
- Legitimate signed MSI or PE files with unexpected trailing data past the signature boundary
- Execution of Java processes spawned from signed Windows installers
Detection Strategies
- Implement file integrity monitoring to detect modified signed executables in critical directories
- Deploy endpoint detection rules that alert on Java execution spawned from Windows installer processes
- Use security tools capable of detecting file content beyond the Authenticode signature boundary
- Monitor for unusual file write operations that modify signed executables
Monitoring Recommendations
- Enable Windows Event logging for code integrity and AppLocker events
- Configure SentinelOne to monitor for process ancestry anomalies involving signed installers spawning script interpreters
- Audit software installation directories for files with mismatched content types
- Implement application whitelisting with strict hash validation
How to Mitigate CVE-2020-1464
Immediate Actions Required
- Apply the Microsoft security update released in August 2020 immediately
- Prioritize patching systems in CISA's Known Exploited Vulnerabilities catalog remediation timeline
- Audit systems for files exhibiting signature/content mismatch patterns
- Enable enhanced code integrity enforcement policies where possible
Patch Information
Microsoft has released security updates to address this vulnerability. The patch corrects how Windows validates file signatures by ensuring the signature validation process properly accounts for the entire file content. Organizations should apply updates available through Windows Update or the Microsoft Security Response Center advisory.
For detailed technical analysis of this vulnerability, refer to the Medium analysis by Tal Be'ery and the VirusTotal blog post documenting malicious JAR appending techniques observed in the wild.
Workarounds
- Block execution of Java (JAR files) from Windows installer directories using application control policies
- Implement strict AppLocker or Windows Defender Application Control (WDAC) policies that validate file hashes rather than just signatures
- Configure endpoint protection to perform deep file inspection beyond signature validation
- Restrict execution of files from user-writable locations
# Example: Configure AppLocker to require hash validation
# Run in elevated PowerShell
Set-AppLockerPolicy -PolicyFilePath "C:\Policies\strict-hash-policy.xml" -Merge
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path "C:\Installers\*" -User Everyone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
