Microsoft Provides Patch for Cryptographic Flaw in Windows 10
The U.S. National Security Agency took the unusual step Tuesday of announcing what it calls a “severe” vulnerability in Microsoft’s Windows 10 operating system ahead of Microsoft’s Patch Tuesday security update. The flaw could allow attackers to execute man-in-the-middle attacks or decrypt confidential data within applications.
The U.S. Department of Homeland Security also released a statement Tuesday urging Windows users to apply a security patch provided by Microsoft within 10 days.
The vulnerability, which is listed as CVE-2020-060, is a spoofing flaw that affects Windows’ CryptoAPI, a component that handles cryptographic operations within the operating system. This part of the OS validates elliptic curve cryptography certificates, which allow for public-key cryptography, according to a Microsoft security advisory.
If left unpatched, a sophisticated attacker could use the vulnerability to fake digital certificates that are used as part of encrypted communications within Windows, according to Microsoft and the NSA. This means hackers could executive man-in-the-middle attacks or decrypt confidential data within applications, the company adds.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” according to the Microsoft advisory. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
Microsoft says it has seen no exploits in the wild. The vulnerability affects versions of Windows 10 as well as Windows Server 2016 and 2019.
Mechele Gruhn, principal security program manager for the Microsoft Security Response Center, says that the company has classified the vulnerability as “important” because it hasn’t been exploited, but the NSA classifies it as “severe.”
Microsoft released patches for a total of 49 vulnerabilities as part of its January 2020 Patch Tuesday security update. This includes eight flaws listed as “critical.”
It’s unclear how long the NSA knew about the flaw before informing Microsoft. In the past, if the agency found this type of Windows vulnerability, it would have kept the information to itself and possibly used it for its own spying capabilities or as part of its offensive cyber efforts, according to CNBC.
In its advisory Tuesday, the NSA notes the severity of the vulnerability is one reason why it decided to disclose it to Microsoft first and then eventually to the public, even though it hasn’t been actively exploited.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the agency says.
In a briefing Tuesday, Anne Neuberger, NSA’s director of cybersecurity, noted that this the first time Microsoft has credited the agency with reporting a security flaw, according to Forbes.
Other spy agencies have also been alerting Microsoft to vulnerabilities in its products, which is a break with past practices. In May, for example, the U.K. National Cyber Security Center told the company about a remote code execution vulnerability that would eventually be called BlueKeep.
On Twitter Tuesday, British security researcher Kevin Beaumont noted that applying the patch and keeping mindful of exploits is essential.
The Microsoft advisory is out now.
1) it’s only rated Important
2) it’s a spoofing issue
3) to get RCE with it you would need auth, and to have code exec already
The NSA did a big press tour so before announcement so expect big media play. https://t.co/O8L414HoRt
— Kevin Beaumont (@GossiTheDog) January 14, 2020
Rick Holland, CISO and vice president of strategy for security firm Digital Shadows, says this flaw is particularly concerning because it can make an attacker’s malicious code look legitimate to the operating system.
“This vulnerability is a force multiplier for attackers who often go to great lengths to get their tools whitelisted in their target environment,” Holland tells Information Security Media Group. “The CryptoAPI Spoofing vulnerability gives attackers another option to make their code appear legitimate. There is a silver lining though; Windows 7, which is now end of life, isn’t impacted by this” (see: Windows 7: Microsoft Ceases Free Security Updates).