Windows administrators are being urged to install today’s Patch Tuesday updates for Win10 as soon as they can after the Washington Post reported that it fixes a major flaw in the operating system.
The news service said the U.S. National Security Agency, which quietly hunts for and tries to leverage software flaws it finds for spying, recently alerted Microsoft of the problem in Win10’s ability to verify digital signatures used to confirm if updates are legitimate, as well as signed files and emails.
If attackers can infiltrate Windows by using this hole it would mean computers around the world could be at risk.
Affected versions are Windows 10, Windows Server 2016 and Windows Server 2019.
The federal government Canadian Centre for Cyber Security issued an alert saying an ‘improper certificate validation’ vulnerability, tracked as CVE-2020-0601, prevents Windows from accurately verifying cryptographic trust and may allow an actor to impersonate a trusted entity. “Exploitation of this vulnerability would defeat systems that rely on the use of valid certificates to ensure cryptographic trust, allowing full access to encrypted communications and for the ability to execute any code with permissions reserved for trusted software.”
The security update ensures that Windows CryptoAPI completely validates certificates.
After installing the update administrators will know if an attacker is trying to exploit the vulnerability if a system generates Event ID 1 in the Windows Event Viewer after each reboot under Windows Logs/Application.
The NSA also issued a rare alert, advising administrators that if enterprise-wide, automated patching is not possible priority for manual patching should go to endpoints that provide essential or broadly replied-upon services such as Windows-based web appliances, web servers, proxies that perform TLS validation, machines that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation), machines directly exposed to the internet and those regularly used by privileged users
Industry experts immediately praised the NSA for disclosing the flaw rather than exploiting it. The NSA has been widely criticized for apparently keeping secret a hacking tool for exploiting Windows bug in all versions dubbed EternalBlue. That vulnerability was unknown until the NSA was hacked and a number of exploits were stolen.
The NSA quietly told Microsoft of the bug and it issued a fix in March 2017. Shortly afterward a group calling itself the Shadow Brokers released the EternalBlue code, which led to others exploiting it.
“For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented,” said Amit Yoran, CEO of security vendor Tenable. “It underscores the criticality of the vulnerability and we urge all organizations to prioritize patching their systems quickly. The fact that Microsoft provided a fix in advance to the U.S. government and other customers that provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organizations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”
On Monday there were early but unconfirmed reports of the problem.Security reporter Brian Krebs said unnamed sources told him the vulnerability is in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.”
The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography and includes functionality for encrypting and decrypting data using digital certificates.