Microsoft has kicked off the new decade with fixes for half a century of vulnerabilities, including one discovered by the NSA that could allow hackers to spoof digital certificates to bypass security measures.
This month’s Patch Tuesday focused around the CVE-2020-0601 flaw, which security experts praised the NSA for disclosing responsibly rather than trying to weaponize in attacks.
Affecting Windows 10 and Windows Server 2016 and 2019, the bug exists in the way the CryptoAPI DLL validates Elliptic Curve Cryptography (ECC) certificates.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” warned Microsoft. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
If successful, an attacker could then conduct man-in-the-middle attacks and decrypt confidential information, or run malware even in environments using app whitelisting.
“Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software,” argued Kevin Bocek, VP of security strategy and threat intelligence at Venafi.
Todd Schell, senior product manager at Ivanti, urged admins to prioritize fixing the problem.
“The vulnerability is only rated as important, but there have been many examples of CVEs that were only rated as important being exploited in the wild,” he said. “Due to the nature of this vulnerability we would urge companies to treat this as a top priority this month and remediate quickly.”
A second flaw in Windows’ cryptographic services is rated with a lower CVSS score, but should also be prioritized, Schell claimed.
CVE-2020-0620 could allow attackers to overwrite or modify a protected file and elevate their privileges accordingly, although it first requires them to execute on a targeted system.
“Gaining execute rights on a system is a pretty low bar for most threat actors. Again, our guidance is to treat this as a priority 1 and address it in a timely manner,” said Schell.
This is the last Patch Tuesday that will include fixes for Windows 7 and Server 2008 systems, unless organizations have paid for extended support. If they have not, they will need to upgrade, or invest in virtual patching capabilities to mitigate the increased risk of attack.
“This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a ‘soft spot’ for a compromise,” warned Trustwave threat intelligence manager, Karl Sigler.