Major Flaw In Windows 10 Discovered By The NSA – Experts Reactions

Microsoft has released a software update to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to the first Patch Tuesday of 2020, taking place yesterday.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Experts Comments

January 16, 2020
Wicus Ross
Senior Researcher
SecureData
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to.....Read More
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to install the applicable Microsoft patch. Microsoft has also released patches in response to two other vulnerabilities regarding the Remote Desktop Gateway. However, we expect attackers to be ready to craft new exploits that can target these gateway servers, which are normally internet facing. They have had ample time to hone their skills at exploiting vulnerabilities in Remote Desktop ever since similar vulnerabilities were published in September 2019.  Read Less
January 15, 2020
Kevin Bocek
VP Security Strategy & Threat Intelligence
Venafi
Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software. It’s good that Microsoft is treating this with urgency, any vulnerability with the core part of Windows is serious. In addition to your own certificates, there are hundreds of Certificate Authorities installed in Windows. Unfortunately, many organisations are.....Read More
Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software. It’s good that Microsoft is treating this with urgency, any vulnerability with the core part of Windows is serious. In addition to your own certificates, there are hundreds of Certificate Authorities installed in Windows. Unfortunately, many organisations are completely unaware of the number of certificates on their system and cyber attackers are more than willing to exploit this. These vulnerabilities should remind us about the blind trust we have in cryptography and machine identities. Security teams need visibility, intelligence and automation to know where their machine identities are and the ability to change them.  Read Less
January 16, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time. CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at.....Read More
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time. CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at installation time. The vulnerability in crypt32.dll, a fundamental component of Windows, enables an attacker to supply malware that appears to be legitimate. This means that users can unwittingly install bad software even though when are relying on the code signing mechanism to give them assurance of its safety. The seriousness of this vulnerability demonstrates the importance of updating. People often say “if it ain’t broke, don’t fix it.” Unfortunately, this attitude is disastrous in software security, where the expression should be “if it ain’t broke, it will be soon.” That is why updating software is critically important. New versions of software are released to fix vulnerabilities; if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems. Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.  Read Less
January 16, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow.....Read More
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them. With the attention CVE-2020-0601 is receiving, attackers will be crafting their attacks with an eye to profiting from those who lag in their patch procedures. Priority should be placed on patching any Windows device connected to the internet, or fulfilling a network service function like DNS, web proxy, VPN server, domain controllers or systems validating trust. As with any vulnerability, if the system is used by a privilege user, then timely application of patches is critical. In the case of CVE-2020-0601, priority should be placed on patching any system used by a privileged user or by a user with access to sensitive data.  Read Less
January 15, 2020
Amit Yoran
Chairman and CEO
Tenable
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability.....Read More
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.  Read Less
January 15, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released. Users are advised to apply the patch for the crypt23.dll as soon as an update is released. However, an issue remains for all the Windows 7.....Read More
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released. Users are advised to apply the patch for the crypt23.dll as soon as an update is released. However, an issue remains for all the Windows 7 operating systems that are still in use, for which the support is ending today, 14th of January. It will be up to Microsoft to decide whether they will release a last patch, even after the software reached its end of life. Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll. Phishers prey on announcements of security flaws and design campaigns aimed at exploiting people’s desire to patch a vulnerability as soon as possible. It is important to use the official channels to update operating systems, in this case the Update and Security section in Windows’ 10 settings. Windows 7 users should also run the updates if they’ll be provided, and should ideally upgrade to Windows 10 to avoid being unnecessarily exposed to risks.  Read Less
January 15, 2020
Ambuj Kumar
CEO
Fortanix
Elliptic curves have had a bad reputation. Microsoft's disclosure today that "CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains" and not providing a root cause leaves many questions unanswered. It'll certainly not help with all the previous history of trustworthiness of ECC.
January 15, 2020
Saryu Nayyar
CEO
Gurucul
Unpatched vulnerabilities like this are actually some of the most dangerous types of cyber threats because they’re not known vulnerabilities and cannot be defended using conventional signature-based security tools. These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers to carry out sophisticated attacks that many organisations are not prepared to stop. This is a case where security analytics could help identify and stop.....Read More
Unpatched vulnerabilities like this are actually some of the most dangerous types of cyber threats because they’re not known vulnerabilities and cannot be defended using conventional signature-based security tools. These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers to carry out sophisticated attacks that many organisations are not prepared to stop. This is a case where security analytics could help identify and stop threats emanating from this vulnerability. By comparing real-time behaviour of users and entities to normal baselined behaviour, it’s possible to identify activities that are indicative of a cyber attack and intervene before it’s too late.  Read Less
January 15, 2020
Chris Hodson
CISO
Tanium
The Patch Tuesday update from Microsoft revealed a critical security vulnerability in its cryptographic library used by Windows 10, Server 2016, and Server 2019. An attacker could use this vulnerability to spoof a code-signing certificate, sign a malicious executable, and make it look like it was from a trusted source. An attacker could also conduct man-in-the-middle attacks against affected software and decrypt sensitive information. As we have learnt from attacks like WannaCry, the.....Read More
The Patch Tuesday update from Microsoft revealed a critical security vulnerability in its cryptographic library used by Windows 10, Server 2016, and Server 2019. An attacker could use this vulnerability to spoof a code-signing certificate, sign a malicious executable, and make it look like it was from a trusted source. An attacker could also conduct man-in-the-middle attacks against affected software and decrypt sensitive information. As we have learnt from attacks like WannaCry, the failure to patch known vulnerabilities can be devastating. For businesses, it is essential to have visibility and control of all endpoints, such as servers and laptops, to ensure that patching of this vulnerability is completed. Organisations cannot protect assets they can’t see, so will need the most up-to-date and accurate view of their security environment to ensure they are best protected. The NSA has advised that the consequence of failing to patch could be severe and widespread, so it is imperative that security professionals and IT leaders take this action seriously and act quickly.  Read Less
January 15, 2020
Stuart Reed
UK Director
Orange Cyberdefense
The existence of this vulnerability serves as a reminder of just how important it is to have processes and technology in place that can act quickly. Whether it’s checking automatic updates are enabled, actively ensuring the patch is deployed or monitoring the network more broadly, as an operating system that it utilised by a large portion of organisations today, the scale and severity of this incident cannot be overlooked. While security teams can become overwhelmed with security alerts and.....Read More
The existence of this vulnerability serves as a reminder of just how important it is to have processes and technology in place that can act quickly. Whether it’s checking automatic updates are enabled, actively ensuring the patch is deployed or monitoring the network more broadly, as an operating system that it utilised by a large portion of organisations today, the scale and severity of this incident cannot be overlooked. While security teams can become overwhelmed with security alerts and updates, there is a responsibility to protect the data held and customers served; whether you’re a Fortune 500, government organisation or a small business. An active mindset around security is paramount if organisations are to avoid falling victim to bad actors looking to make use of these types of vulnerabilities.  Read Less
January 15, 2020
Renaud Deraison
Co-founder and CTO
Tenable
CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious.....Read More
CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organizations that do not patch their systems quickly. The NSA's responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector coordination.  Read Less
January 15, 2020
Pratik Savla
Senior Security Engineer
Venafi
Digital signature is one of the most important mechanisms Microsoft provides. This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary. This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access.....Read More
Digital signature is one of the most important mechanisms Microsoft provides. This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary. This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access Trojan (RAT) and a Command and Control (C2) channel on a targeted Windows machine, they look for ways to avoid detection of the payload to establish persistence. If attackers disguise a malicious executable binary so it looks like a Windows system binary, it can remain undetected by AV. This could allow attackers to blend in and install it, and they get the C2 channel re-established on reboot.  Read Less
January 15, 2020
Max Vetter
Chief Cyber Officer
Immersive Labs
While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritised first. In the same Microsoft update much more potent vulnerabilities with higher CVS scores.....Read More
While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritised first. In the same Microsoft update much more potent vulnerabilities with higher CVS scores were patched, which organisations should prioritise over this specific flaw. While it is clearly vital that businesses do update their systems regularly it is also important that you do not get distracted by the glamour of a lesser vulnerability. Human capability in cyber security is such a valuable resource, so ultimately being aware of all threats is a much better approach than being distracted by one.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.