Microsoft has released a security update to address CVE-2020-0601 to fix a dangerous flaw in Crypt32.dll impacting the Windows 10 and Windows Server 2016/2019 systems. Based on the advisory, “A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates”. This also falls on the same day that the Windows 7 support has ended. This places many organisations that are still running Windows 7 systems in a vulnerable state.
The bug was discovered and reported by the US National Security Agency (NSA), NSA Director of Cybersecurity Anne Neuberger said in a press call on the 14th January 2020.
The NSA also published an advisory highlighting the criticality of this Windows flaw. The advisory cautions, “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.”
The CryptoAPI component provides multiple functionalities, one being allowing developers to digitally sign their software, which would appear then appear to be from a trusted provider. The bug however allows attackers to spoof legitimate software (such as software updates) and could potentially allow malicious software to be run on a vulnerable computer.
Currently this flaw has not been exploited in the wild, but the proof-of-concept exploit code is now available just two days after Microsoft released the patch.
As a user or organisation running these systems, you should apply the security updates Microsoft released during this month’s Patch Tuesday to ensure safety and security. This is why it is important to have a proper servicing plan in place to secure your Windows-based infrastructure and endpoints.