We have 3 days to perform updates to Windows 10 and Server 2016 Operating Systems. That’s how long it is estimated that it will take cybercriminals to reverse a flaw that was recently discovered. It was announced today that a bug could leave over 900 million PCs vulnerable to attack.
The NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
Microsoft has rated the update as important but the Principal Security Program Manager for Microsoft Security Response Center, explained that it was not listed as critical because “we have not seen it used in active attacks.”
The bug that would allow an attacker to spoof a certificate which makes it appear like it came from a trusted source. The vulnerability was reported to Microsoft by the National Security Agency and affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.
If automated patching is not possible, the NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.
Examples include:
Windows-based web appliances, web servers, or proxies that perform TLS validation.
Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).
Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include:
Endpoints directly exposed to the internet.
Endpoints regularly used by administrators.
The Technical Details
CVE-2020-0601 – Windows CryptoAPI Spoofing Vulnerability
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Change within the NSA
In October, AnneNeuberger became head of the newly formed NSA Cybersecurity Directorate to improve the NSA’s own internal security and bolster collaboration across departments. She stated that disclosing the code verification bug to Microsoft and the public is part of a new NSA initiative in which the agency will share its vulnerability findings more quickly and more often.
Thanks for reading my friends, stay safe!
We at Advanced Systems Solutions have helped many organizations streamline their updates. If you’re looking for an IT support company to keep your organization running optimally, with unmatched customer service, contact us. We love to help!
Like our Facebook page by clicking on the icon at the top right of this page to stay up to date with current alerts and information!
Disclaimer: The above information is not intended as technical advice. Additional facts or future developments may affect subjects contained herein. Seek the advice of an IT Professional before acting or relying on any information in this communiqué.
Sources
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601