The first Patch Tuesday of 2020 has the industry buzzing about 49 CVEs, in particular a Windows CryptoAPI spoofing vulnerability disclosed to Microsoft by the US National Security Agency (NSA).
CVE-2020-0601, which affects Windows' cryptographic functionality, exists in Windows 10, Windows Server 2016, and Windows Server 2019. It's categorized by Microsoft as Important and rated as level one, or "exploitation more likely," in its advisory released today. Neither Microsoft nor the NSA has seen this vulnerability used in the wild, and the agency said it has not seen it in a tool.
The certificate-validation flaw exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the bug by using a spoofed code-signing certificate to sign a malicious executable so the file appears to be from a known and trusted source. The move could trick both users and anti-virus software, the DHS explains in an emergency directive on today's patches. Neither a user nor the AV program would know a file was malicious.
With this vulnerability, an attacker could issue a maliciously crafted certificate for a hostname that didn't authorize it. As a result, a browser that relies on CryptoAPI would not issue a warning to the user, giving the intruder access to modify or inject data on user connections. Successful exploitation could also allow an attacker to launch man-in-the-middle attacks and decrypt confidential data on users' connections to the affected software.
Some ..
Support the originator by clicking the read the rest link below.
