icetray - Fotolia

January Patch Tuesday fixes cryptography bug found by NSA

The U.S. National Security Agency shared information with Microsoft about a significant spoofing vulnerability in Windows that enterprises should make a patching priority.

Microsoft closed a flaw in a key cryptographic feature it discovered with help from the National Security Agency as part of the January Patch Tuesday security updates.

Microsoft issued fixes for Windows, Internet Explorer, Office, several .NET technologies, OneDrive for Android and Microsoft Dynamics for January Patch Tuesday to close 49 unique vulnerabilities, with eight rated as critical. Microsoft said there were no exploited or publicly disclosed vulnerabilities. This month's updates were the last free security fixes for Windows 7 and Windows Server 2008/2008 R2 as those operating systems left extended support.

Windows cryptographic library flaw fixed

The bug that drew the most attention from various security researchers on January Patch Tuesday is a spoofing vulnerability (CVE-2020-0601), rated important, that affects Windows 10 and Windows Server 2016 and 2019 systems. The NSA uncovered a flaw in the crypt32.dll file that handles certificate and cryptographic messaging functions in the Windows CryptoAPI. The bug would allow an attacker to produce a malicious program that appears to have an authenticated signature from a trusted source.

A successful exploit using a spoofed certificate could be used to launch several types of attacks, such as deliver a malicious file that appears trustworthy, perform man-in-the-middle campaigns and decode sensitive data. An unpatched system could be particularly susceptible because the malicious file could appear legitimate and even skirt Microsoft's AppLocker protection.

"The guidance from us would be, regardless of Microsoft's 'important' classification, to treat this as a priority one and get the patch pushed out," said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

Goettl noted that companies might not be directly attacked with exploits that use the CryptoAPI bug, but could be at risk from attacks on the back-end system of a vendor or another outside entity, such as when attackers embedded the NotPetya ransomware in tax software to slip past defenses.

Chris Goettl, director of product management and security, IvantiChris Goettl

"It's not a very common occurrence because good code-signing certificates can establish a level of trust, while this [vulnerability] invalidates that trust and allows an attacker to try and spoof that. It introduces a lot of potential for risk, so we recommend people close [CVE-2020-0601] down as quickly as possible," he said.

Bugs in Windows remote connection technology patched

January Patch Tuesday also closed three vulnerabilities related to Remote Desktop Services rated critical.

CVE-2020-0609 and CVE-2020-0610 are both remote code execution vulnerabilities in the Remote Desktop Gateway that affect server operating systems on Windows Server 2012 and newer. Microsoft said both CVEs can be exploited pre-authentication without any interaction from the user. Attackers who use the exploit can run arbitrary code on the target system, then perform other tasks, including install programs, delete data or add a new account with full user rights.

CVE-2020-0611 is a remote code execution vulnerability in the Remote Desktop Client that affects Windows 7 and newer on desktops, and Windows Server 2008 R2 and newer on server systems, when the attacker tricks a user to connect to a malicious server. The threat actor could then perform a range of actions, such as install programs, view or change data, or make a new account with full user rights.   

Legacy operating systems reach end-of-life

January Patch Tuesday marks the last time Microsoft will provide security updates and other fixes for the Windows 7, Windows Server 2008 and 2008 R2 operating systems unless customers pay to enter the Extended Security Updates (ESU) program. Companies must also have Software Assurance coverage or subscription licenses to purchase ESU keys for the server operating systems. Users will need to add the ESU key to systems they want to keep protected. ESU for those systems will end in three years.

Companies that plan to keep these legacy operating systems and have signed up for the ESU program should install the servicing stack updates Microsoft released for all three operating systems on January Patch Tuesday, Goettl said. Administrators also need to deploy and activate the ESU key using Microsoft's instructions.

ESU is an expensive option. For on-premises server workloads, organizations will need either Software Assurance or a subscription license at a cost of about 75% of the license cost each year.  

ESU does not add new or updated features, just security fixes.

For organizations that plan to keep these operating systems running without the safety net of ESU, there are a few ways to minimize the risk around those workloads, including adding more security layers and removing the workload from a direct connection to the internet, Goettl said.

"If there's an application or something that needs to run on Windows 7, then virtualize that environment. Get the users on the Windows 10 platform and have them connect into the Windows 7 environment to access that critical app. You will it spend more money doing it that way, but you will reduce your risk significantly," he said.

Dig Deeper on Microsoft messaging and collaboration