First 2020 Windows 10 patch: NSA predicts rapid attacks on “severe” crypto bug

5 patch is the problem
Thinkstock

Microsoft has released a patch for a spooky flaw in a core Windows cryptographic software library that allows an attacker to forge a code-signing digital certificate to sign malware. That means an attacker can pass off ransomware as legitimate software without the target ever knowing anything was amiss. 

The patch for the Windows CryptoAPI software library — tagged as CVE-2020-0601 — arrives as part of Microsoft’s first Patch Tuesday for 2020 and the last month the company is providing free security updates for Windows 7.

The flaw in the Windows cryptographic library was discovered by the US National Security Agency (NSA) and is the first bug Microsoft has credited the spy agency with reporting to it. Microsoft did not credit the NSA with the Windows SMB bug that enabled the agency’s leaked EternalBlue exploit and was used to spread WannaCry and NotPetya ransomware in 2017. 

News of the CryptoAPI bug and impending patch leaked on Monday ahead of Microsoft’s Patch Tuesday via security expert Brian Krebs who described the bug as “extraordinarily serious”.  

NSA director of cybersecurity Anne Neuberger said at a press conference ahead of Microsoft’s January 2020 release that NSA researchers discovered the bug independently in their own probe. 

Microsoft has now said that it is not aware the bug has been exploited, but that exploitation is “more likely” for the both new and old releases of Windows 10. 

The CryptoAPI bug affects all versions of Windows 10, Windows Server 2016, Windows Server 2019, and the corresponding Windows Server Core Installation for Windows 10 versions 1803, 1903, and 1909. The bug does not affect Windows 7, which is still widely used despite this being the last month of free patches.  

Microsoft clarified a point in Krebs’ report that the company quietly shipped a patch for the bug exclusively to branches of the US military and customers that manage key internet infrastructure. 

Microsoft said it doesn’t release production-ready updates ahead of Patch Tuesday, but that it does release “advance versions” of its security updates through the Security Update Validation Program, which allows participating customers to test Microsoft’s patches against their own images, infrastructure, and apps to help Microsoft iron out glitches more quickly.     

The bug resides in Crypt32.dll and is due to the way the software library validates Elliptic Curve Cryptography (ECC) certificates. ECC is a take on public-key cryptography, which uses public keys that can be shared widely and private keys that should only be known to the owner. 

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” Microsoft explains. 

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could also exploit the flaw to “conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft added. 

Microsoft notes there are no workarounds to this bug, but that security teams can tell if someone is attempting to use a spoofed certificate to exploit the flaw — but only after the security update is applied.       

Microsoft has rated the bug as “important” as opposed to the more severe “critical” rating. 

But according to the NSA, the bug is “critical” since it “allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.” It also predicts attackers will pounce on the flaw once they understand its usefulness.

Scenarios attackers could exploit include HTTPS connections, signed files and emails, and signed executable code launched as a user-mode process. 

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA wrote in a media release urging Windows users to patch immediately

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Microsoft’s January 2020 security updates address eight critical flaws out of the total 49 bugs it disclosed. The updates are for Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, ASP.NET Core, NET Core, .NET Framework, OneDrive for Android, and Microsoft Dynamics 

The Zero Day Initiative’s Dustin Childs notes that while the Windows CryptoAPI bug is only rated “important” it could have a far-reaching impact because ransomware attackers could use it to pass off file-encrypting malware as harmless software.   

“It’s not hard to imagine how attackers could employ this tactic. For example, ransomware or other spyware is much easier to install when it appears to have a valid certificate,” wrote childs. 

“The patch also creates a new entry in the Windows event logs if someone attempts to use a forged certificate against a patched (and rebooted) system. This is significant and will help admins determine if they have been targeted.”

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?