January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by the NSA
As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the “star of the show” is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.
Microsoft’s patches
Microsoft has released security patches for a variety of its products, including Windows, Internet Explorer, Office and Office Services and Web Apps, ASP.NET, .NET Core, .NET Framework, OneDrive for Android, and Microsoft Dynamics.
The company fixed 49 CVE-numbered vulnerabilities, eight of which are deemed critical, but none of which are currently under attack (as far as they know).
As mentioned before, CVE-2020-0601 will grab the most attention. Not only because it could have a wide-reaching impact, but also because it was reported by the NSA (as opposed to kept secret and quietly exploited).
“For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organizations to prioritize patching their systems quickly,” said Amit Yoran, CEO of Tenable and the Founding Director of the DHS’s US-CERT program.
“The fact that Microsoft provided a fix in advance to the U.S. government and other customers that provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organizations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”
SANS ISC’s Johannes Ullrich has described a number of scenarios for the bug’s exploitation.
The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI (Crypt32.dll), which validates Elliptic Curve Cryptography (ECC) certificates. The security update fixes it and creates a new entry in the Windows event logs if an attacker attempts to use a forged certificate against a patched system.
“This is significant and will help admins determine if they have been targeted,” noted Trend Micro’s Zero Day Initiative’s Dustin Childs.
It goes without saying that admins should prioritize this security update for Windows 10, Windows Server 2016 and 2019.
Other vulnerabilities of note in this batch of security updates are CVE-2020-0609 and CVE-2020-0610, two remote code execution bugs in RDP Gateway Servers that require no user interaction to be exploited. An unauthenticated remote attacker could simply send a specially-crafted request to a vulnerable RDP server and achieve the ability to execute arbitrary code with SYSTEM privileges.
Oh, and don’t forget to update your Microsoft OneDrive App for Android if you use it, to prevent attackers from bypassing the passcode or fingerprint requirements of the app by sharing a link with you.
Animesh Jain, Product Manager of Vulnerability Signatures at Qualys, also advises admins to prioritize Scripting Engine, Browser, and .NET Framework patches for workstation-type devices (including multi-user servers that are used as remote desktops for users).
Users who still use Windows 7, Windows Server 2008 R2, and Windows Server 2008 are reminded once more that support for those ends today and that the patches for them released today, covering 22 CVEs, are the last they’ll get for free.
A standout among these CVEs is CVE-2020-0620, a vulnerability that exists when Microsoft Cryptographic Services improperly handles a file, giving an attacker the opportunity to modify a protected file.
“While this exploitation would require an attacker having access and ability to execute on the machine, there are no shortage of weaponized but patchable exploits out in the wild that can provide that kind of access,” noted Richard Melick, Senior Technical Product Manager, Automox.
“And while the end of support happened today, this one simple vulnerability should be a reminder that today is the day to ensure all legacy endpoints are up to date and the security protocols and procedures surrounding these devices are centered on restricting access, securing third-party software, and minimizing the overall attack surface.”
Adobe patches
This month Adobe shipped fixes for only nine flaws.
Five, all critical, affect Adobe Illustrator CC for Windows and could allow attackers to achieve remote code execution on the underlying system.
The remaining four affect Adobe Experience Manager 6.5 and below. These could “only” result in sensitive information disclosure.