Skip to main content

Resources

Windows 10 Vulnerability

Windows 10 Vulnerability

New Vulnerabilities Fixed in Latest Microsoft Patch Tuesday

On January 14, 2020, Microsoft released software patches for 49 new vulnerabilities. These vulnerabilities affect Windows 10, Windows Server 2016, and Windows Server 2019, and it is recommended that you implement these patches ASAP.


One of the vulnerabilities patched in this release is a critical vulnerability initially identified by the National Security Agency (NSA), who reported the vulnerability to Microsoft immediately. Microsoft credited the National Security Agency with identifying the vulnerability, which is certainly a first. This was an interesting turn of events for the NSA, as the agency has traditionally used such exploits as cyberweapons to take advantage of vulnerable networks. However, after the EternalBlue vulnerability, which was originally developed by the NSA and leaked by the ShadowBrokers, was used to create cyber-weapons such as WannaCry and BlueKeep, the agency is likely trying to repair its reputation and be more transparent.  


The critical vulnerability found by the NSA is a very big deal indeed – a CryptoAPI spoofing vulnerability (CVE-2020-0601) that allows an attacker to decrypt traffic, perform a man-in-the-middle attack, or install malware onto a system. CVE-2020-0601 has been dubbed “Curveball” (you know it’s a legitimate, scary threat when it receives a nickname) and is rated an 8.1 (High) on the CVSS scale, mostly due to a low Exploitability rating.


Additionally, Windows patched a group of vulnerabilities that affected Remote Desktop Gateway and Windows Remote Desktop Client (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611).  CVE-2020-0609 and CVE-2020-0610 both receive a 9.8 (Critical) rating on the CVSS scale, while CVE-2020-0611 is a 7.5 (High).

 

What Can These Vulnerabilities do?

CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. ECC certificates are a new level of authentication, privacy, and personal data transmitting that cannot be maintained by passphrases and passwords alone. The vulnerability is located in the “crypt32.dll” file, which is responsible for many certificates and cryptographic messaging functions in the CryptoAPI. Microsoft stated, “An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.”


In layman’s terms, threat actors may be able to get a victim to install malicious software by passing the malware as a safe file or an authorized software update. An attacker can modify the file’s digital signature, allowing malicious malware to appear as it was coming from a trusted provider like Microsoft. “A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” said Microsoft. 


Check to see if your system is vulnerable to Curveball here: https://curveballtest.com/index.html


The Windows Remote Desktop Gateway and Windows Remote Desktop Client vulnerabilities (CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611) affect Windows Server 2012 and newer Windows Server operating systems. These vulnerabilities allow for remote code execution, where random code could be run freely. The server vulnerabilities do not need authentication or user interaction, and they are exploited by a specially crafted request. The client vulnerability can also be exploited by convincing a user to connect to a malicious server.


Issues that could arise from these vulnerabilities:

  • Harm to an organization’s reputation 
  • Financial loss 
  • Temporary or permanent loss of sensitive or proprietary information  
  • Customer Information loss 
  • Business disruption   

 


Patch These Vulnerabilities

Microsoft has released software patches to fix these critical vulnerabilities. Cybersecurity and Infrastructure Security Agency (CISA) recommends priority patching in this order:

  1. critical systems
  2. internet-facing systems
  3. networked servers

After updating all critical systems, it is always a good idea to review the Microsoft January 2020 Release Notes page. 

 

Do Not Wait!  

These vulnerabilities are important enough that the NSA did the right thing and informed Microsoft before these vulnerabilities became zero-day exploits. CryptoAPI spoofing vulnerability, Remote Desktop Gateway, and Windows Remote Desktop Client vulnerabilities could have caused great harm, as we’ve seen with other widespread vulnerabilities that weren’t reported, like EternalBlue and BlueKeep. Do not hesitate to update your systems immediately, or bigger issues could arise that could lead to catastrophic events in your organization. 


For more information on what should go into a comprehensive, valuable Patch Management Program, check out our recent article on the subject here.

 


Written by: Edin Y Cardona and Jon Waldman
SBS CyberSecurity, LLC


SBS Resources: 

  • {Blog} Security Patch Overload: The endless cycle of patching may leave many asking themselves, Why? Is there a better way? How can we improve this process? A modern patch management program should address the following topics. Read Blog
  • {Service} Vulnerability Assessment: Stay one step ahead of a cybercriminal by identifying and investigating weaknesses in your network before they do. A Vulnerability Assessment is a proactive approach to identifying shortcomings and arming your organization with information to fortify your systems. Vulnerability Assessments from SBS are completed remotely and provide your institution more visibility into how well your patch management program is functioning. Learn More

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Technology Manager   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Saturday, February 1, 2020
Categories: Blog