Microsoft’s massive CVE-2020-0601
I usually don’t write posts for CVEs, preferring to quickly retweet security news instead. But this is a big one and I want it to stick on the blog.
The vuln
CVE-2020-0601 has been disclosed. It affects all editions of Windows 10, Windows Server 2016 and Windows Server 2019. The vulnerability lives in Windows CryptoAPI (Crypt32.dll) and allows an attacker to spoof Elliptic Curve Cryptography (ECC) certificates by crafting one that appears to be valid (trust chain resolved up to root CA). Such a certificate could be used, for example, to sign a malware thus making it look legitimate.
Making noise
The news is currently making noise in the security community for the criticality of the news yet for the curious fact the NSA announced it and somehow offering support.
While Microsoft says they “have not seen it used in active attacks”, it is believed this is an older bug the agency has kept for itself and just decided to publish for yet unknown reasons, one of which may be good PR.
Since a picture is worth a 1000 words, here it is a funny explanation in classic twitter style.
The patch
The patch has been released as part of today’s patch Tuesday. More details are available here. You can get it from Windows Update. The set also contains other important security fixes and it was been reviewed by Zero Day Initiative. Of course, update as soon as you can.
Thanks for reading.