Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Jimi Wikman
    Jimi Wikman

    Windows 10 critical vulnerabilities - NSA warn and urge to install security patch

    On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

    The updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States

    The flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for handling encryption and decryption of data.

    A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:

    • A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
    • Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.

     

    Quote

    A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

    An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

    A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

    The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

    -https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0601

     

     

    Quote

    NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

    https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

     

    Quote

    This vulnerability is classed Important and we have not seen it used in active attacks.

    https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/

     

     

    Besides Windows CryptoAPI spoofing vulnerability that has been rated 'important' in severity, Microsoft has also patched 48 other vulnerabilities, 8 of which are critical and rest all 40 are important.

    It is strongly suggested that you patch this as soon as possible by heading on to your Windows Settings → Update & Security → Windows Update → clicking 'Check for updates on your PC.

    Edited by Jimi Wikman




    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By ©Jimi Wikman
      In the wake of Covid-19 and the increased need for communication for people working from home it comes as no surprise that Microsoft Teams are targeted by malicious people. This week we see both CISA and Abnormal security reporting on targeted phishing campaigns that have affected more than 50.000 users so far.
      With so many starting to work from home due to the Covid-19 situation invites to different Microsoft Teams are very common. This is something that malicious people have started to take advantage of. Since many organizations are still a bit new to the situation of many employees working from home, this also mean that security is not always up to par with the situation.
      The tactic is rather simple, but sadly also effective. One example is that a mail that seems legit are sent out with a link to a document on a Microsoft Team. If the link is clicked the user is asked to login and if that button is clicked, they’re taken to a malicious page which convincingly impersonates the Microsoft Office login page in order to steal their credentials
      Another example include an email link that points to a YouTube page.  From there the users are redirected twice to finally land on another Microsoft Office login phishing site which convincingly impersonates the Microsoft Office login page.
      This is even more effective on mobile according to the articles. This is because the images take up most of the space and because domain links are more difficult to see and therefore identify.  These phishing attempts are however very convincing even on desktop, which makes it more likely that someone will get caught in the phishers net.
      As Microsoft Teams are integrated with Office 365 single sign on it means that if compromised the phisher will have access to other, possibly much more damaging, areas.  This is not the only issues facing office 365 users however and Sway got a bit of heat earlier this week as well.
      Microsoft is not being idle however and this week they patched a nasty subdomain takeover vulnerability in Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.
      As always, be careful with email links and make sure you vet the urls carefully before submitting any user information online.
    • By ©Jimi Wikman
      In today's Adobe Illustrator tutorial I'm going to take you through the process of creating a colourful embroidered patch, based on the kinds of designs associated with National Parks. The artwork will incorporate a landscape scene at sunset, which helps to keep the design simple with a silhouette graphic and a warm colour palette. Stick around until the end of this tutorial to discover an easy way to make your digital design look real with stitching and embroidery effects.
    • By ©Jimi Wikman
      Microsoft accidentally exposed nearly 250 million Customer Service and Support records on the web. The records contained logs of conversations between Microsoft and customers from all over the world. This data is spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
      The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.
      Despite swift action from Microsoft the data was exposed for 25 days during the holidays. The information exposed includes Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked "confidential". This information, which is in plain text, is prety much all you need for a full scale fraud attack as Paul Bischoff explain in his post.
      Microsoft has begun reaching out to the millions of customers affected and they urge users to stay alert should anyone contact them under the guise of being a representative from Microsoft in their official response to the incident.
      With this error some are questioning the security measures in place at Microsoft. Fausto Oliveira, principal security architect at Acceptto gave this statement to threatpost:
       
    • By ©Jimi Wikman
      In this video we show you how to create and share a simple poll in your Microsoft Teams channel.
×
×
  • Create New...