Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Microsoft has released a security update to address “a broad cryptographic vulnerability” that is impacting its Windows operating system. Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions. […]

Microsoft Patch Tuesday

Microsoft has released a security update to address “a broad cryptographic vulnerability” that is impacting its Windows operating system.

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 vulnerability is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

Microsoft addressed the issue by ensuring that Windows CryptoAPI completely validates ECC certificates.

Microsoft did not release technical details of the vulnerability to avoid its public exploitation.

Microsoft confirmed that it is not aware of attacks in the wild exploiting the CVE-2020-0601 flaw.

“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.” reads a blog post published by Microsoft.

“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

The NSA has also released a security advisory that includes mitigation information.

“NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.” reads the NSA’s advisory.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available”.

Microsoft also addresses 48 other vulnerabilities, 8 of which are rated as critical and remaining are rated as important.

None of the issues addressed this month by Microsoft were being exploited in the wild.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]