Right on the heels of yesterday’s urgent Firefox update, the NSA is urging Windows users to update Windows 10 right now with the CVE-2020-0601 patch, owing to a critical security flaw discovered by the NSA, reported to Microsoft, and apparently “essentially a mistake in the computer code.” Yes, that’s right, a mistake. How safe do you feel now?
Says the NSA, in their warning, “CVE-2020-0601 is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.”
“Wait,” you may be saying, “the NSA?? The same NSA that for years exploited a flaw in Windows that came to be known as EternalBlue??” To refresh your memory, EternalBlue was an NSA hacking tool designed to exploit a security flaw in Windows that the NSA had discovered in 2012 and failed to tell Microsoft about because, you know, then they couldn’t exploit it.
Readers may remember our writing about it in the context of the City of Baltimore’s computer system being shut down by ransomware because they had failed to apply the patch which Microsoft had issued to shut that very same security hole, once Microsoft themselves discovered it in 2017. For those of you playing along at home, the NSA had it for 5 years before Microsoft found the flaw and shut it down, and that was likely only because the NSA’s toy, EternalBlue, had been leaked and was being used in malicious exploits.
|Get notified of new Internet Patrol articles for free!
Let us repeat: The City of Baltimore’s entire computer system was shut down and held for ransom by ransomware because they had failed to apply the security patch issued by Microsoft.
If that doesn’t make you stop and update your Windows right now if you haven’t already, we don’t know what will.
Oh, wait, maybe this will do it: today the NSA took the unheard of step of not only not exploiting an unintended back door into your Windows computer, but instead alerting Microsoft to the issue when they discovered it so that Microsoft could fix it and get the fix pushed out to your computer.
How serious does it have to be for the NSA to do that??
And if that doesn’t make you stop and update your Windows right now if you haven’t already, then you, our friend are part of the problem.
Here’s what Microsoft is saying about this VIP (Very Important Patch):
CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
Published: 01/14/2020 | Last Updated : 01/14/2020
On this page
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Your computer should either be updating automatically or alert you to the fact that there is an update. But if it doesn’t, using the computer that you want to update, go to this Microsoft page, and click on the “Check for Windows updates” link.
You can read Microsoft’s full documentation on CVE-2020-0601 here.
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!