PALM BEACH, FL – On Tuesday, January 14, 2020, the U.S. National Security Agency released a Cybersecurity Advisory urging users of Microsoft’s Windows 10 operating system to patch a potentially serious vulnerability.
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
Microsoft also released details about the vulnerability, which could allow an attacker to use a spoofed code-signing certificate – a sort of digital signature used to validate legitimate apps – to sign malicious software. This would allow the malware to appear to be from a trusted source and could make detection significantly more difficult.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
This vulnerability affects Windows 10.
- If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.
- Alternatively, when you are at your Windows 10 computer, click the Start button, select Settings, then Update & Security, then Windows Update, and click Check for updates to run Windows Update manually.
- If you have multiple PCs running Windows 10, ensure they are all up-to-date with the latest security patches.
- DO NOT attempt to download a patch for this vulnerability from anywhere other than the Windows Update tool. Windows system updates should only be downloaded directly from Microsoft.
- If you would like to read more about the unprecedented nature of the partnership between the NSA and Microsoft relating to this patch, click here (Washington Post) or here (Business Insider).