As expected, Microsoft did reveal a fundamental flaw in Windows that affected Windows 10’s cryptographic library. January’s Patch Tuesday updates issued today, however, fix the issue, which is specific to Windows 10 and Windows Server.
The flaw, CVE-2020-0601, was found in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. (Contrary to earlier rumors, it does not affect Windows 7, which coincidentally is being shut down Tuesday as well.) Fortunately, Microsoft reported that the library was not in active use, though that doesn’t prevent an attacker from weaponizing it now that it’s been disclosed.
Specifically, the attack could allow malware to hide behind a spoofed cyrptographic signature. Antivirus software could therefore identify malware as legitimate applications, or fake banking sites could use the vulnerability to trick a user’s PC into thinking it was legitimate.
Microsoft did not cite the source that reported the vulnerability. The Washington Post had reported that the National Security Agency (NSA) had developed the exploit, then turned it over to Microsoft. The NSA itself took credit for the discovery in a security advisory released Tuesday.
Specifically, CVE-2020-0601 will affect Windows 10, according to Microsoft. The NSA believes it will affect Windows Server 2016/2019 as well.
“Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities,” the NSA said. “Examples where validation of trust may be impacted include: HTTPS connections, signed files and emails, [and] signed executable code launched as user-mode processes.”
The NSA advised basically everyone to apply the Patch Tuesday patches as quickly as possible to avoid risking their PCs. “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA wrote. “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.”
Users should ensure that their Windows 10 PCs are up to date, and make sure that they enable Windows Update to send down the patch when it’s ready. More details of the January 2020 Windows security updates are available here.