Expert Comments

Major Flaw In Windows 10 Discovered By The NSA – Experts Reactions

Expert(s): Security Experts
Expert(s): Security Experts Published: Last Updated on

Microsoft has released a software update to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to the first Patch Tuesday of 2020, taking place yesterday.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Experts Comments

Dot Your Expert Comments
Wicus Ross
January 16, 2020
Senior Researcher
SecureData

Microsoft has also released patches in response to two other vulnerabilities regarding the Remote Desktop Gateway.
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to.....Read More
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vulnerability could be exploited. The only acceptable mitigation against this vulnerability is to install the applicable Microsoft patch. Microsoft has also released patches in response to two other vulnerabilities regarding the Remote Desktop Gateway. However, we expect attackers to be ready to craft new exploits that can target these gateway servers, which are normally internet facing. They have had ample time to hone their skills at exploiting vulnerabilities in Remote Desktop ever since similar vulnerabilities were published in September 2019.  Read Less
Kevin Bocek
January 15, 2020
VP Security Strategy & Threat Intelligence
Venafi

These vulnerabilities should remind us about the blind trust we have in cryptography and machine identities.
Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software. It’s good that Microsoft is treating this with urgency, any vulnerability with the core part of Windows is serious. In addition to your own certificates, there are hundreds of Certificate Authorities installed in Windows. Unfortunately, many organisations are.....Read More
Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software. It’s good that Microsoft is treating this with urgency, any vulnerability with the core part of Windows is serious. In addition to your own certificates, there are hundreds of Certificate Authorities installed in Windows. Unfortunately, many organisations are completely unaware of the number of certificates on their system and cyber attackers are more than willing to exploit this. These vulnerabilities should remind us about the blind trust we have in cryptography and machine identities. Security teams need visibility, intelligence and automation to know where their machine identities are and the ability to change them.  Read Less
Jonathan Knudsen
January 16, 2020
Senior Security Strategist
Synopsys

The seriousness of this vulnerability demonstrates the importance of updating.
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time. CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at.....Read More
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time. CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate developers can cryptographically sign their software, which proves its legitimacy to users at installation time. The vulnerability in crypt32.dll, a fundamental component of Windows, enables an attacker to supply malware that appears to be legitimate. This means that users can unwittingly install bad software even though when are relying on the code signing mechanism to give them assurance of its safety. The seriousness of this vulnerability demonstrates the importance of updating. People often say “if it ain’t broke, don’t fix it.” Unfortunately, this attitude is disastrous in software security, where the expression should be “if it ain’t broke, it will be soon.” That is why updating software is critically important. New versions of software are released to fix vulnerabilities; if you don’t update, attackers are able to exploit these vulnerabilities to steal information or take control of your systems. Unfortunately, updating software sometimes causes things to stop working. Many organizations are reluctant to update as soon as patches are available because of the risk of losing functionality. Each organization must find the line that balances the risk of breakage against the risk of attackers exploiting a vulnerability.  Read Less
Tim Mackey
January 16, 2020
Principal Security Strategist
Synopsys CyRC

Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10.
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow.....Read More
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them. With the attention CVE-2020-0601 is receiving, attackers will be crafting their attacks with an eye to profiting from those who lag in their patch procedures. Priority should be placed on patching any Windows device connected to the internet, or fulfilling a network service function like DNS, web proxy, VPN server, domain controllers or systems validating trust. As with any vulnerability, if the system is used by a privilege user, then timely application of patches is critical. In the case of CVE-2020-0601, priority should be placed on patching any system used by a privileged user or by a user with access to sensitive data.  Read Less
Amit Yoran
January 15, 2020
Chairman and CEO
Tenable

None of these questions change what organisations need to do at this point to protect themselves.
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability.....Read More
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.  Read Less
Boris Cipot
January 15, 2020
Senior Sales Engineer
Synopsys

Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll.
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released. Users are advised to apply the patch for the crypt23.dll as soon as an update is released. However, an issue remains for all the Windows 7.....Read More
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released. Users are advised to apply the patch for the crypt23.dll as soon as an update is released. However, an issue remains for all the Windows 7 operating systems that are still in use, for which the support is ending today, 14th of January. It will be up to Microsoft to decide whether they will release a last patch, even after the software reached its end of life. Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll. Phishers prey on announcements of security flaws and design campaigns aimed at exploiting people’s desire to patch a vulnerability as soon as possible. It is important to use the official channels to update operating systems, in this case the Update and Security section in Windows’ 10 settings. Windows 7 users should also run the updates if they’ll be provided, and should ideally upgrade to Windows 10 to avoid being unnecessarily exposed to risks.  Read Less
Ambuj Kumar
January 15, 2020
CEO
Fortanix

Elliptic curves have had a bad reputation.
Elliptic curves have had a bad reputation. Microsoft's disclosure today that "CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains" and not providing a root cause leaves many questions unanswered. It'll certainly not help with all the previous history of trustworthiness of ECC.
Saryu Nayyar
January 15, 2020
CEO
Gurucul

These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers.
Unpatched vulnerabilities like this are actually some of the most dangerous types of cyber threats because they’re not known vulnerabilities and cannot be defended using conventional signature-based security tools. These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers to carry out sophisticated attacks that many organisations are not prepared to stop. This is a case where security analytics could help identify and stop.....Read More
Unpatched vulnerabilities like this are actually some of the most dangerous types of cyber threats because they’re not known vulnerabilities and cannot be defended using conventional signature-based security tools. These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers to carry out sophisticated attacks that many organisations are not prepared to stop. This is a case where security analytics could help identify and stop threats emanating from this vulnerability. By comparing real-time behaviour of users and entities to normal baselined behaviour, it’s possible to identify activities that are indicative of a cyber attack and intervene before it’s too late.  Read Less
Chris Hodson
January 15, 2020
CISO
Tanium

As we have learnt from attacks like WannaCry, the failure to patch known vulnerabilities can be devastating.
The Patch Tuesday update from Microsoft revealed a critical security vulnerability in its cryptographic library used by Windows 10, Server 2016, and Server 2019. An attacker could use this vulnerability to spoof a code-signing certificate, sign a malicious executable, and make it look like it was from a trusted source. An attacker could also conduct man-in-the-middle attacks against affected software and decrypt sensitive information. As we have learnt from attacks like WannaCry, the.....Read More
The Patch Tuesday update from Microsoft revealed a critical security vulnerability in its cryptographic library used by Windows 10, Server 2016, and Server 2019. An attacker could use this vulnerability to spoof a code-signing certificate, sign a malicious executable, and make it look like it was from a trusted source. An attacker could also conduct man-in-the-middle attacks against affected software and decrypt sensitive information. As we have learnt from attacks like WannaCry, the failure to patch known vulnerabilities can be devastating. For businesses, it is essential to have visibility and control of all endpoints, such as servers and laptops, to ensure that patching of this vulnerability is completed. Organisations cannot protect assets they can’t see, so will need the most up-to-date and accurate view of their security environment to ensure they are best protected. The NSA has advised that the consequence of failing to patch could be severe and widespread, so it is imperative that security professionals and IT leaders take this action seriously and act quickly.  Read Less
Stuart Reed
January 15, 2020
UK Director
Orange Cyberdefense

Actively ensuring the patch is deployed or monitoring the network more broadly.
The existence of this vulnerability serves as a reminder of just how important it is to have processes and technology in place that can act quickly. Whether it’s checking automatic updates are enabled, actively ensuring the patch is deployed or monitoring the network more broadly, as an operating system that it utilised by a large portion of organisations today, the scale and severity of this incident cannot be overlooked. While security teams can become overwhelmed with security alerts and.....Read More
The existence of this vulnerability serves as a reminder of just how important it is to have processes and technology in place that can act quickly. Whether it’s checking automatic updates are enabled, actively ensuring the patch is deployed or monitoring the network more broadly, as an operating system that it utilised by a large portion of organisations today, the scale and severity of this incident cannot be overlooked. While security teams can become overwhelmed with security alerts and updates, there is a responsibility to protect the data held and customers served; whether you’re a Fortune 500, government organisation or a small business. An active mindset around security is paramount if organisations are to avoid falling victim to bad actors looking to make use of these types of vulnerabilities.  Read Less
Renaud Deraison
January 15, 2020
Co-founder and CTO
Tenable

CVE-2020-0601 hits at the very trust we have in today's digital computing environments.
CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious.....Read More
CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organizations that do not patch their systems quickly. The NSA's responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector coordination.  Read Less
Pratik Savla
January 15, 2020
Senior Security Engineer
Venafi

Digital signature is one of the most important mechanisms Microsoft provides.
Digital signature is one of the most important mechanisms Microsoft provides. This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary. This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access.....Read More
Digital signature is one of the most important mechanisms Microsoft provides. This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary. This weakness could be helpful in executing a variety of scenarios. For example, if an attacker is thinking of establishing a Remote Access Trojan (RAT) and a Command and Control (C2) channel on a targeted Windows machine, they look for ways to avoid detection of the payload to establish persistence. If attackers disguise a malicious executable binary so it looks like a Windows system binary, it can remain undetected by AV. This could allow attackers to blend in and install it, and they get the C2 channel re-established on reboot.  Read Less
Max Vetter
January 15, 2020
Chief Cyber Officer
Immersive Labs

Human capability in cyber security is such a valuable resource.
While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritised first. In the same Microsoft update much more potent vulnerabilities with higher CVS scores.....Read More
While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritised first. In the same Microsoft update much more potent vulnerabilities with higher CVS scores were patched, which organisations should prioritise over this specific flaw. While it is clearly vital that businesses do update their systems regularly it is also important that you do not get distracted by the glamour of a lesser vulnerability. Human capability in cyber security is such a valuable resource, so ultimately being aware of all threats is a much better approach than being distracted by one.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Fake App Attacks On The Rise, As Malware Hides In...

Expert On Study That Brits Using Pets’ Names As Online...

Expert Reaction On Europol Publishes Its Serious And Organised Crime...

Fake Netflix App Allows Hackers to Hijack WhatsApp

Hackers Pretend To Be Your Friend In The Latest WhatsApp...

Millions Of Brits Still Using Pet’s Names As Passwords Despite...

Advertised Sites May Appear Genuine On First Glance

Facebook Ran Ads For Malware-ridden ‘Clubhouse for PC’

Linkedin Data Of 500 Million Users Being Sold Online

Experts Comments On Identity Management Day – Tuesday 13th April