Windows: Is a critical cryptography patch coming today?

[German]If the rumors are true, today comes a critical patch for the CryptoAPI of some versions of Windows. The vulnerability is putting all kind of encryption at risk. The US military is said to have received the fix in advance. Addendum: Details of the spoofing vulnerability CVE-2020-0601 are now known. Not all Windows versions are affected, as originally suspected, but only Windows 10, Windows Server 2016 and 2019.


First patchday in 2020

January 14, 2020 is the first regular patchday from Microsoft this year. Windows 7 will then get its last planned security updates. But also other Windows versions and other Microsoft products will probably be patched. So far so normal.

Security expert rumor

I had already heard it mentioned that night in the newsletter as a nebulous hint. Woody Leonhard refers to a tweet from Will Dormann (security analyst at CERT/CC):

But then I came across a little more detail with Brian Krebs. Sources tell KrebsOnSecurity that Microsoft will release a critical security update today, Tuesday. This is to fix an extremely serious security hole in a central cryptographic component that is present in all versions of Windows.

The sources quoted by Krebs say that Microsoft has tacitly provided a patch for the bug to the US military and other high-value customers/targets that manage critical Internet infrastructure. However, these organizations were asked to sign a Non Disclosure Agreement (NDA). This prevents them from publishing details of the bug before January 14, 2020.


Vulnerability in crypt32.dll

According to the sources of Krebs, the vulnerability is located in the Windows library crypt32.dll. According to Microsoft, this library is responsible for handling the “certificate and cryptographic message functions in the CryptoAPI”. The Microsoft CryptoAPI enables developers to cryptographically secure Windows applications. For this purpose there are functions for encrypting and decrypting data with the help of digital certificates.

A critical vulnerability in this Windows component could have far-reaching effects on the security of a number of important Windows functions. These range from authentication on Windows desktops and servers to the protection of sensitive data encrypted by browsers or applications using the API.

Krebs speculates that a flaw in crypt32.dll could also be used to bypass or forge the digital signature for software packages. Such a vulnerability could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company. The DLL for the CryptoAPI was introduced more than 20 years ago, meaning the old stuff is also in the ultramodern Windows as a service. Let’s see what’s coming within a few hours.

Addendum: Details of the spoofing vulnerability CVE-2020-0601 are now known.

A spoofing vulnerability exists in the way the Windows CryptoAPI (Crypt32.dll) validates elliptic curve cryptography (ECC) certificates.

An attacker could exploit this vulnerability by using a spoofed code-signing certificate to sign a malicious executable file, thereby implying that the file came from a trusted, legitimate source. The user would have no way to recognize the file as malicious, because the digital signature appears to come from a trusted provider.

A successful exploit could also allow the attacker to perform man-in-the-middle attacks and decrypt confidential information through user connections to the affected software.

This security update addresses the vulnerability by ensuring that the Windows CryptoAPI ECC certificates are fully validated.

Affected are Windows 10, Windows Server 2016 and 2019 – all super modern Microsoft operating systems. The vulnerabilities will be closed with the cumulative updates from January 14, 2020 (see  CVE-2020-0601 and my blog post Patchday Windows 10-Updates (December 10, 2019)).  Patchday Windows 10-Updates (14. Januar 2020)).

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *