A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft’s January Patch Tuesday security bulletin. The vulnerability could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” wrote Microsoft in its advisory on January’s Patch Tuesday. The vulnerability, rated important, was found by the U.S. National Security Agency (NSA) and is not being actively exploited, Microsoft said.
Security experts are tipping their hats to the NSA for the disclosure, calling the move a trust-building step. The agency has been long criticized in the past for its lack of sharing of vulnerabilities and for using unknown bugs itself.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said it was important that users priorities the patch.
“Every Windows device relies on trust established by TLS and code-signing certificates, which act as machine identities,” Bocek said. “If you break these identities, you won’t be able to tell the difference between malware and Microsoft software.”
The vulnerability (CVE-2020-0601) exists in the way Windows (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. Core CryptoAPI functions include encrypting and decrypting data using digital certificates. “The CryptSignMessage function creates a hash of the specified content, signs the hash, and then encodes both the original message content and the signed hash,” according to a Microsoft description.
“Now anyone can mint software that looks legit. On an unpatched system, bad guys can evade next-gen AV protection and Microsoft’s own checks and balances,” Bocek told Threatpost. He added that there are “hundreds of certificate authorities installed in Windows and many organizations are completely unaware of the number of certificates on their systems.”
“For me, this is as bad as it gets it demolishes 20 years of security controls. What is concerning to me are the older versions – critical systems – that will not get patch,” he said.
Microsoft’s First 2020 Patch Tuesday
For its first Patch Tuesday of the year, Microsoft fixed 50 vulnerabilities, eight of them critical. The fixes are for Windows, Internet Explorer, Office, .Net and a variety of developer tools. All of the critical bugs are remote-code-execution (RCE) bugs, none yet exploited in the wild.
One of the critical bugs (CVE-2020-0609) is classified as a Windows RDP Gateway Server RCE flaw, nearly identical to another bug fixed this month (CVE-2020-0610).
“An attacker who exploited either of these bugs could get code execution on affected RDP Gateway Servers,” according to analysis by Zero Day Initiative’s Dustin Childs. “This code execution occurs at the level of the server and is pre-auth and without user interaction. That means these bugs are wormable – at least between RDP Gateway Servers. While not as widespread as systems affected by Bluekeep, it certainly presents an attractive target for attackers.”
The most notable news is still the final public patch release for Windows 7, Server 2008, and Server 2008 R2, according to Todd Schell, senior product manager at Ivanti, in an emailed analysis. “Windows 7, Server 2008, and Server 2008 R2 have received their final public patch release. If you are continuing to run these systems in your environment, you should make sure you are prepared for February and beyond.”
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.