Microsoft has released a software update to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to the first Patch Tuesday of 2020, taking place yesterday.
According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.
A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to install the applicable Microsoft patch.
Microsoft has also released patches in response to two other vulnerabilities regarding the Remote Desktop Gateway. However, we expect attackers to be ready to craft new exploits that can target these gateway servers, which are normally internet facing. They have had ample time to hone their skills at exploiting vulnerabilities in Remote Desktop ever since similar vulnerabilities were published in September 2019.
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time.
CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at installation time. The vulnerability in crypt32.dll, a fundamental component of Windows, enables an attacker to supply malware that appears to be legitimate. This means that users can unwittingly install bad software even though when are relying on the code signing mechanism to give them assurance of its safety.
The seriousness of this vulnerability demonstrates the importance of updating. People often say “if it ain’t broke, don’t fix it.” Unfortunately, this attitude is disastrous in software security, where the expression should be “if it ain’t broke, it will be soon.” That is why updating software is critically important. New versions of software are released to fix vulnerabilities; if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems. Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them. With the attention CVE-2020-0601 is receiving, attackers will be crafting their attacks with an eye to profiting from those who lag in their patch procedures. Priority should be placed on patching any Windows device connected to the internet, or fulfilling a network service function like DNS, web proxy, VPN server, domain controllers or systems validating trust. As with any vulnerability, if the system is used by a privilege user, then timely application of patches is critical. In the case of CVE-2020-0601, priority should be placed on patching any system used by a privileged user or by a user with access to sensitive data.
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released.
Users are advised to apply the patch for the crypt23.dll as soon as an update is released. However, an issue remains for all the Windows 7 operating systems that are still in use, for which the support is ending today, 14th of January. It will be up to Microsoft to decide whether they will release a last patch, even after the software reached its end of life.
Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll. Phishers prey on announcements of security flaws and design campaigns aimed at exploiting people’s desire to patch a vulnerability as soon as possible. It is important to use the official channels to update operating systems, in this case the Update and Security section in Windows’ 10 settings.
Windows 7 users should also run the updates if they’ll be provided, and should ideally upgrade to Windows 10 to avoid being unnecessarily exposed to risks.