ADVISORY: Update Windows for vulnerability

Tuesday, January 14, 2020

The information below was sent via email to U-M IT staff groups January 14, 2020. It is intended for U-M IT staff who are responsible for university devices running Windows. It may also be of interest to individuals with Windows on their personal devices.

Summary

The U.S. National Security Agency (NSA) has discovered a serious flaw in Windows that could expose users to threats such as malicious software, surveillance, or data breaches. Microsoft has just released updates, which should be applied as soon as possible after appropriate testing.

Problem

An attacker could exploit the vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. An attacker could also exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Affected Versions

An update is available for Windows 10. Updates are also available for Windows Server 2016 and 2019.

Action Items

Apply the latest update from Microsoft to Windows as soon as possible after appropriate testing.

Threats

An attacker could exploit the vulnerability to conduct man-in-the-middle attacks and decrypt confidential information. An attacker could also exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable.

There are no reports of this vulnerability being exploited in the wild at this time.

Technical Details

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, potentially allowing a malicious actor to spoof a valid X.509 certificate chain on a vulnerable system. Crypt32.dll is a Windows module that Microsoft says handles certificate and cryptographic messaging functions in the CryptoAPI. The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.
  • ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.

Information for Users

MiWorkspace machines will be updated as soon as possible after appropriate testing. If you have Windows installed on your own devices that are not managed by the university, update to the latest version as soon as possible. It is best to set Windows to update automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

References