SECURITY ALERT: Microsoft releases critical security updates to fix major vulnerabilities
Do not delay these updates!
Microsoft released its regular patches on the second Tuesday of the month, and as always, they included fixes for multiple vulnerabilities. Namely, 49 security bugs have been now fixed, out of which eight are considered to be critical.
Rumors started to circulate before the patches were officially out and sources were saying that Microsoft was very likely to fix “an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.” The same sources were indicating that Microsoft had quietly shipped a patch for the bug to branches of the U.S. military and to other highly valuable customers that manage key Internet infrastructure. Those organizations were allegedly asked to sign agreements that forbade them from disclosing details of the flaw prior to the January 2020 Patch Tuesday.
Microsoft declined to respond to these allegations, saying that they do not wish to discuss the details before the patches were officially released.
In short, there were some early signs that some serious flaws were going to be fixed, and the first Patch Tuesday of this year only confirmed the rumors.
So, keep on reading to find out what you should expect from Microsoft’s January 2020 updates.
CVE-2020-0601, the Windows CryptoAPI Spoofing Vulnerability
By far the most significant security bug that has been fixed (CVE-2020-0601) is indeed critical.
Here is what Microsoft has to say about it in its Security Update Guide:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
In other words, this vulnerability can allow spoofing and bypassing normal security mechanisms that validate the credibility of binary code, including ECC certificates and this can circumvent your endpoint protection.
The vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. According to Microsoft and the NSA (which first reported the bug), no active attacks were spotted before this month’s patch was released. The Agency has published its own security guide, with details on mitigation and on how to detect exploitation.
CVE-2020-0609 and CVE-2020-0610, the vulnerabilities found in RDP
An additional relevant security update is related to the Windows Remote Desktop Gateway (RD Gateway) that address the CVE-2020-0610 and CVE-2020-0609 vulnerabilities. The update applies to Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 and it’s crucial you apply this update as well in a timely manner.
Sending a specially crafted request to an accessible and vulnerable RD Gateway via RDP opens the risk of arbitrary code execution. These vulnerabilities can be seen before the RDP authentication process and require no user interaction. A malicious hacker who manages to exploit these vulnerabilities may be able to then install programs, view, change, and delete data and even create new accounts with full user rights, Microsoft said in their Security Update guide.
We recommend that you place RDP services internally, so that they can, for instance, be accessed via a VPN connection and never as a service available via WAN / Internet.
Other notable vulnerabilities covered in January’s Patch Tuesday
Some other products that received fixes this month, besides Windows, include Internet Explorer, Microsoft Office, Microsoft Office Web Apps, Microsoft Dynamics, ASP.NET, the .NET Framework, and OneDrive for Android.
Patch, patch, and patch again
Here at Heimdal we always advise both organizations and individuals to never fall behind on their updates, since this practice alone will notably increase one’s defenses. Through our X-Ploit Resilience, which covers both Microsoft and 3rd party software, our corporate customers apply their patches four times faster than the global average. X-Ploit Resilience features all updates and patches within four hours since their launch, silently, in the background, with zero user interruption.
Even though Microsoft’s January 2020 Patch Tuesday is smaller compared to most of the other patches that were released seen in the past, it is, without doubt, still highly important. And the main lesson here is to always keep up with your patches!