releases[1] its first Patch Tuesday
updates for 2020, Microsoft has now also published its January
security advisories warning billions of users of new
vulnerabilities in its various products.
What’s so special about the latest Patch Tuesday is that one of
the updates fixes a serious flaw in the core cryptographic
component of widely used Windows 10, Server 2016 and 2019 editions
that was discovered and reported to the company by the National
Security Agency (NSA) of the United States.
What’s more interesting is that this is the first security flaw in
Windows OS that the NSA reported responsibly to Microsoft, unlike
the Eternalblue SMB
flaw[2] that the agency kept
secret for at least five years and then was leaked to the public by
a mysterious group, which caused WannaCry
menace[3] in 2017.
CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
According to an advisory released by Microsoft, the flaw, dubbed
‘NSACrypt‘ and tracked as CVE-2020-0601[4], resides in the
Crypt32.dll module that contains various ‘Certificate and
Cryptographic Messaging functions’ used by the Windows Crypto API
for handling encryption and decryption of data.
The issue resides in the way Crypt32.dll module validates
Elliptic Curve Cryptography (ECC) certificates that is currently
the industry standard for public-key cryptography and used in the
majority of SSL/TLS certificates.
In a press
release[5] published by the NSA,
the agency explains “the certificate validation vulnerability
allows an attacker to undermine how Windows verifies cryptographic
trust and can enable remote code execution.”
Exploitation of the vulnerability allows attackers to abuse
validation of trust between:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
Though technical details of the flaw are not yet available to the
public, Microsoft confirms the flaw, which if exploited
successfully, could allow attackers to spoof digital signatures on
software, tricking the operating system into installing malicious
software while impersonating the identity of any legitimate
software—without users’ knowledge.
“A spoofing vulnerability exists in the way Windows CryptoAPI
(Crypt32.dll) validates Elliptic Curve Cryptography (ECC)
certificates,” the microsoft advisory says.
“An attacker could exploit the vulnerability by using a spoofed
code-signing certificate to sign a malicious executable, making it
appear the file was from a trusted, legitimate source. The user
would have no way of knowing the file was malicious because the
digital signature would appear to be from a trusted provider.”
Besides this, the flaw in CryptoAPI could also make it easy for
remote man-in-the-middle attackers to impersonate websites or
decrypt confidential information on user connections to the
affected software.
“This vulnerability is classed Important and we have not seen it
used in active attacks,” the microsoft said in a separate
blog
post[6].
“This vulnerability is one example of our partnership with the
security research community where a vulnerability was privately
disclosed and an update released to ensure customers were not put
at risk.”
“The consequences of not patching the vulnerability are severe
and widespread. Remote exploitation tools will likely be made
quickly and widely available,” the NSA said.
There is no mitigating or workaround available for this
vulnerability, so you’re highly recommended to install the latest
software updates by heading on to your Windows Settings → Update &
Security → Windows Update → clicking ‘Check for updates on your
PC.’
References
- ^
Adobe today releases
(thehackernews.com) - ^
Eternalblue SMB flaw
(thehackernews.com) - ^
WannaCry menace
(thehackernews.com) - ^
CVE-2020-0601
(portal.msrc.microsoft.com) - ^
press release
(media.defense.gov) - ^
blog post
(msrc-blog.microsoft.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/2Y3EaAqjlSU/warning-quickly-patch-new-critical.html