Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Jimi Wikman
    Jimi Wikman

    Windows 10 critical vulnerabilities - NSA warn and urge to install security patch

    On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

    The updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States

    The flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for handling encryption and decryption of data.

    A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:

    • A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed.
    • Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.

     

    Quote

    A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

    An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

    A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

    The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

    -https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0601

     

     

    Quote

    NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

    https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

     

    Quote

    This vulnerability is classed Important and we have not seen it used in active attacks.

    https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/

     

     

    Besides Windows CryptoAPI spoofing vulnerability that has been rated 'important' in severity, Microsoft has also patched 48 other vulnerabilities, 8 of which are critical and rest all 40 are important.

    It is strongly suggested that you patch this as soon as possible by heading on to your Windows Settings → Update & Security → Windows Update → clicking 'Check for updates on your PC.




    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By ©Jimi Wikman
      Jon Friedman, Head of Microsoft Office design presenterar de nya ikonerna för Microsoft office och de tankar som ligger bakom.  Tanken att separera symbol från innehåll och leka med det dynamiska är briljant. Kika in och läs om hur design teamet kom fram till dessa vackra skapelser som kommer att rullas ut de närmaste månaderna till oss.
       
    • By ©Jimi Wikman
      Two WordPress plugins, InfiniteWP Client and WP Time Capsule have been found to suffer from a critical authorization bypass bug that allows people to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in.
      Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously".
      This was reported on January 7th and on January 8th a new release for InfiniteWP Client and WP Time Capsule was released. WebArx publicly disclosed the bugs on January 14th.
      Based on the WordPress plugin library, the InfiniteWP Client plugin is active on 300,000+ websites. The InfiniteWP site claims they have 513,520 sites active.
      Link to WPScan Vulnerability Database: https://wpvulndb.com/vulnerabilities/10011
       
    • By ©Jimi Wikman
      Today on January 15 Microsoft will start  pushing the new Edge browser based on Chromium to Windows 10 users. It will be released to both home and pro windows 10 users. With this we will see a more dominant position for Chromium for web browsers, but we will also get a less cluttered and frustrating browser landscape.
      While reports of the new Chromium based Edge browser have been positive it remain to see what the actual response will be once it become available to the general public. I have a feeling it will be a positive response, especially with the possibility to use Chrome extensions now that the two browser share the same base.
      From a developer and test perspective this should be a great thing as it is most likely one less browser to worry about. It should be easier to develop with out the curse of IE that has plagued us since early 2000. It should also lead to faster support for new development features with less code bases to wait for full support.
      Since Edge now is downloadable also for macOS I will download it later and give it a go. If you want to download it and test it you can do so for Windows, macOS, iOS and Android. If you are on Windows 10 then you can just wait for the windows update to push it to your system, Just be aware that there are some key features still missing, like the browser history and extension sync between devices and the new feature Microsoft call Collections.
      It seems only Business customers can block this update. Microsoft posted about this ina blog post and have released a "blocker toolkit" that is intended for organizations who would like to block the automatic delivery of the Chromium-based Microsoft Edge.
      Overall I think this is a great thing and I keep getting impressed by the way Microsoft has reinvented themselves in a positive way since the "Steve Ballmer Era".
      I will get back to this once I have had the chance to test the new Chromium based Edge browser from Microsoft.
    • By ©Jimi Wikman
      Time to update if you have not already.
×
×
  • Create New...