Last week, on January 14, 2020 Microsoft released the January 2020 Patch Tuesday Security Updates for their Windows 10 and Windows Server 2016/2019 operating systems, which will also benefit all applications that rely on Windows for trust functionality.
One of the vulnerabilities assessed by this patch is CVE-2020-0601 which was reported by the NSA, in a Cybersecurity Advisory regarding a cryptographic vulnerability that was discovered in Microsoft Windows Clients and Servers.
The NSA Advisory rates this vulnerability as severe, since it is present during the process of validating cryptographic certificates. This would allow an attacker to perform remote code execution, tricking the target system into believing the executable code comes from a legitimately trusted source.
According to The Hacker News and Krebs on Security, this is a historic case, since it marks the first time the NSA responsibly reported a Windows vulnerability to Microsoft, instead of
keeping it for their own use, as seen previously with the WannaCry ransomware which was based on the EternalBlue utility leaked from the NSA a few years ago.
One of its main attack vectors would be any HTTPS connection to/from the Windows system. Given that HTTPS uses SSL, a “counterfeit” certificate could trick a user into believing they are in a secure website, while downloading malware in the background. This vulnerability is also present if the user regularly receives emails or files that have been cryptographically signed, e.g. with PGP or GnuPG.
Another attack vector can occur whenever you install any piece of software, as the signed executable code could contain malicious code within it, that could then be launched as a user-mode process. If its cryptographic signature were forged, it could be used to gain access to your computer. This could cause serious damage to the file system.
As you can probably tell by now, this has the potential of rendering Windows systems fundamentally vulnerable. And, precisely because of its severity, it is highly recommended to install this January 2020 Patch Tuesday upgrade as soon as possible to avoid becoming a victim of potential attacks in the near-to-mid term future.
We hope that, if Windows is your primary OS, you’ve already installed these security patches. If not, then get on it! ;-)
You definitely want to review and see if you are vulnerable and if you are a pentester both of these are definitely something you want to test for.