CyberSecOp.com

View Original

NSA Reported a Critical Flaw in Microsoft Windows 10

The National Security Agency recently discover a vulnerability in Microsoft’s Windows 10 Operating System, NSA worked with Microsoft to issue patches and publicly raise awareness instead of using the flaw for its intelligence gathering.

On January 14, Microsoft released a set of patches for the Windows platform. While all of the issues addressed in the patch release are serious, this article will discuss one of them: CVE-2020-0601. Above anything else, we urge everyone to take action and patch their systems.

(CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. The exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples, where validation of trust may be impacted, include:

  • HTTPS connections

  • Signed files and emails

  • Signed executable code launched as user-mode processes

Vulnerability

CVE-2020-0601 is a serious vulnerability because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them. 

Microsoft explanation of the vulnerability

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

Microsoft Windows Crypto API fails to properly validate certificates, which may allow an attacker to spoof the validity of certificate chains. This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the Internet operates.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

Mitigation Actions

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Examples include:

  • Windows-based web appliances, web servers, or proxies that perform TLS validation.

  • Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).

Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include:

  • Endpoints directly exposed to the internet.

  • Endpoints regularly used by privileged users.

 Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.

Cyber Attack Bulleting

1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.                   

The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyber attacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.

2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.                 According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.    

3) Traditional perimeter-based security is not enough for cyberattacks.
According to CyberSecOp Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.

4. There is a cyber attack every 39 seconds.
 By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.