Getty Images/iStockphoto

NSA Discloses, Urges Patch of Critical Microsoft Windows 10 Vulnerability

In a rare move, the National Security Agency (NSA) shared its discovery of a critical vulnerability in Microsoft Windows 10 that may allow remote exploitation to steal sensitive data or install malware.

The National Security Agency discovered a critical spoofing vulnerability impacting Microsoft Windows 10, which could allow an attacker to undermine the verification of cryptographic trust and allow remote code execution, according to a rare NSA alert.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency also alerted to the vulnerability on Tuesday, warning that attackers could exploit it to bypass the trust store and allow “unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization.”

“This could deceive users or thwart malware detection methods such as antivirus,” DHS wrote. “A maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.”

Windows 10 and Server 2016/2019 are impacted by the CVE-2020-0601 flaw, as are “applications that rely on Windows for trust functionality.” Microsoft released a patch following the NSA report.

The vulnerability is found in the function meant to verify the legitimacy of software or establish web connections. A flaw in that verification check enables hackers to remotely exploit it to steal sensitive information or install malware.

Assessing the flaw as severe, officials explained that validation of trust exploit may impact HTTPS connections, signed files and emails, and signed executable code launched as user-mode processes.

“The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors,” NSA officials wrote. “Sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”

“The consequences of not patching the vulnerability are severe and widespread,” they added.

NSA stressed that cybercriminals will likely quickly develop remote exploitation tools to be widely distributed. The only way to mitigate the flaw is to patch and “should be the primary focus for all network owners.”

As a result, all January 2020 Patch Tuesday patches provided by Microsoft should be applied as soon as possible. If enterprise-wide, automated patching is unavailable – typical in healthcare – “system owners [should] prioritize patching endpoints that provide essential or broadly replied-upon services.”

For example, NSA recommended prioritizing Windows-based web appliances, web servers, or proxies that perform TLS validation and endpoints that host critical infrastructure, like VPN and DNS servcers, or domain controllers.

Organizations should also prioritize endpoints with a high risk of exploitation, including endpoints exposed to the internet or regularly utilized by privileged users.

In addition to patching, organizations should also consider implementing endpoint logging features to prevent or detect some types of exploitation. However, patching is “the most effective mitigation.”

“Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised,” NSA officials warned. “Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints.”

“Some enterprises route traffic through existing proxy devices that perform TLS inspection, but do not use Windows for certificate validation,” they added. “The devices can help isolate vulnerable endpoints behind the proxies while the endpoints are being patched.”

NSA officials also provided details on how organizations can leverage properly configured and managed TLS inspection proxies that “independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities.”

IT and security leaders should make sure to enable certificate validation for TLS proxies, which will limit the exposure to “this class of vulnerabilities and review logs for signs of exploitation.”

DHS CISA directed organizations struggling with patching to review the NIST publication on enterprise patch management technologies. Given Microsoft support for Windows 7 and other legacy platforms ended on January 14, it's imperative healthcare security leaders prioritize these vulnerabilities.

Dig Deeper on Cybersecurity strategies