ADVISORY: Update Windows for vulnerability
Tuesday, January 14, 2020
The information below was sent via email to U-M IT staff groups January 14, 2020. It is intended for U-M IT staff who are responsible for university devices running Windows. It may also be of interest to individuals with Windows on their personal devices.
Summary
The U.S. National Security Agency (NSA) has discovered a serious flaw in Windows that could expose users to threats such as malicious software, surveillance, or data breaches. Microsoft has just released updates, which should be applied as soon as possible after appropriate testing.
Problem
An attacker could exploit the vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. An attacker could also exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
Threats
An attacker could exploit the vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. An attacker could also exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable.
There are no reports of this vulnerability being exploited in the wild at this time.
Affected Versions
An update is available for Windows 10. Updates are also available for Windows Server 2016 and 2019.
Action Items
Apply the latest update from Microsoft to Windows as soon as possible after appropriate testing.
Technical Details
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, potentially allowing a malicious actor to spoof a valid X.509 certificate chain on a vulnerable system. Crypt32.dll is a Windows module that Microsoft says handles certificate and cryptographic messaging functions in the CryptoAPI. The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
- ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.
Information for Users
MiWorkspace machines will be updated as soon as possible after appropriate testing. If you have Windows installed on your own devices that are not managed by the university, update to the latest version as soon as possible. It is best to set Windows to update automatically.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- Microsoft Windows CryptoAPI fails to properly validate ECC certificate chain (Vulnerability Note VU#849224) (Carnegie Mellon University, 1/14/20)
- CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability (Microsoft, 1/14/20)
- Microsoft patches Windows 10 security flaw discovered by the NSA (The Verge, 1/14/20)
- Microsoft will patch Windows 10 after the NSA quietly told it about a major vulnerability (CNBC, 1/14/20)
- Microsoft is patching a major Windows 10 flaw discovered by the NSA (Engadget, 1/14/20)
- Microsoft and NSA say a security bug affects millions of Windows 10 computers (TechCrunch, 1/14/20)
- NSA found a dangerous Microsoft software flaw and alerted the firm — rather than weaponize it (The Washington Post, 1/14/20)
- Windows 7 ‘Crazy High’ Security Risk As Crypto Exploit Found In Audio Files (Forbes, 1/14/20)
- Cryptic Rumblings Ahead of First 2020 Patch Tuesday (Krebs on Security, 1/13/20)