As part of its Patch Tuesday release on August 11, 2020, Microsoft included a zero day vulnerability that went unfixed for several years. This vulnerability, CVE-2020-1464 and dubbed “GlueBall”, could allow an attacker to bypass security features built into Windows to validate file signatures, ultimately allowing an attacker to run improperly signed binaries on a system. This spoofing vulnerability was first seen in the wild being used by malware in August 2018, when several researchers notified Microsoft of the problem. It is recommended that the MS20-AUG patch be applied immediately as it will correct how Windows validates file signatures.
Code signing is a means to validate the authenticity of an executable – ensuring the code being installed hasn’t been tampered with. If this is bypassed, then malicious attackers have a direct route to the system. Organizations need to ensure they know what is installed on their systems and what their users have access to in order to prevent an app with a spoofed signature from slipping in. If they haven’t already, patch now and run vulnerability scans on all systems regularly.