We reported yesterday there was a major vulnerability in Windows which undermined the cryptographic foundation of the OS.
Today Microsoft released a patch for the vulnerability and also details regarding the issue.
The “broad cryptographic vulnerability” was discovered by the US National Security Agency (NSA), as confirmed by the NSA Director of Cybersecurity Anne Neuberger.
Microsoft confirmed CVE-2020-0601 involves Windows CryptoAPI and says “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates” which can be used to “to sign a malicious executable, making it appear the file was from a trusted, legitimate source.”
It would also be used in encrypted communication such as HTTPS, with Microsoft saying:
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
Fortunately, the vulnerability only affects Windows 10, Windows Server 2019, and Windows Server 2016 OS versions, and it has not been exploited in the wild.
Despite this, the potential impact of the vulnerability was so bad the NSA was forced to disclose it to Microsoft, instead of using it for their own purposes.
This is the first disclose Microsoft has credited to the NSA, but Neuberger says it marks a change in their attitude towards vulnerabilities, with the agency now no longer looking to hoard them. The NSA had also warned infrastructure companies of the vulnerability and that the patch was coming, and plans to release its own security advisory, with mitigation information and how to detect exploitation, later today, also urging IT staff to expedite the installation of today’s Patch Tuesday security updates.
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (DHS CISA) will also release today an emergency directive to alert the US private sector and government entities about the need to install the latest Windows OS fixes.