Microsoft has shipped out a security patch to address a serious vulnerability in the Windows operating system that, if abused, could enable attackers to make malware appear as though it was code from a legitimate source.
The vulnerability, which is being fixed as part of this month’s Patch Tuesday rollout, affects a key cryptographic component of Windows 10, Windows Server 2019 and Windows Server 2016. The flaw was discovered by the United States’ National Security Agency (NSA), which, for the first time ever, is now officially credited with the discovery of a software vulnerability.
Indexed as CVE-2020-0601, the bug resides "in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," reads Microsoft’s security advisory. The Crypt32.dll module is responsible for many certificate and cryptographic messaging functions in the CryptoAPI.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,“ said Microsoft.
In other words, a threat actor could get victims to install malware by passing it off as, say, a legitimate software update, including from Microsoft itself, while the targets would be none the wiser.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,“ according to the tech giant.
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” said Microsoft.
“Severe and widespread”
Hours before the official announcement, rumors began to swirl that this would not be a typical Patch Tuesday rollout. Indeed, some in the security community may have been waiting on pins and needles after veteran security journalist Brian Krebs more than hinted at the magnitude of the problem:
"An extraordinarily serious security vulnerability," Krebs wrote when describing the bug on Monday night. The US government and military, as well as several high-profile companies, are said to have received the patches in advance.
The severity of the situation eventually prompted a bevy of official communications from US authorities. This included an alert from the Cybersecurity and Infrastructure Security Agency (CISA), an emergency directive from the Department of Homeland Security (DHS) requesting expedited patching across federal entities, and an advisory from the NSA itself.
“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” said the intelligence agency. Neither the NSA nor Microsoft are aware of the flaw being abused in the wild.
Windows 7, which happened to reach its end of life on this very day, Windows 8 or other Windows systems are not affected by the vulnerability.
This month’s Patch Tuesday bundle is made up of fixes for a total of 49 vulnerabilities, which are neatly summarized in this table by the SANS Technology Institute. Two critical flaws in Windows Remote Desktop Gateway (RD Gateway), CVE-2020-0609 and CVE-2020-0610, stand out, as they allow remote non-authenticated attackers to execute arbitrary code on the targeted system.