Major Flaw In Windows 10 Discovered By The NSA – Experts Reactions

Microsoft has released a software update to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to the first Patch Tuesday of 2020, taking place yesterday.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.


EXPERTS COMMENTS
Wicus Ross, Senior Researcher,  SecureData
January 16, 2020
Microsoft has also released patches in response to two other vulnerabilities regarding the Remote Desktop Gateway.
The flaw exists in the validation process of digital certificates, which are used by various services including web servers to validate identity, authenticity and to establish confidential communication channels. While this means that an attacker could potentially eavesdrop on a confidential conversation or impersonate another entity, there is very little public information available on how the vu ....
[Read More >>]
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
January 16, 2020
The seriousness of this vulnerability demonstrates the importance of updating.
Software rots over time. It is not that the software is actually changing and getting worse; instead, vulnerabilities that were already in the software and its component building blocks are discovered over time. CVE-2020-0601, recently disclosed by Microsoft, is a vulnerability at the heart of the system of trust that underlies software applications for the Windows operating system. Legitimate d ....
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
January 16, 2020
Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10.
There are times when it’s reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll is used for all digital signatures on Windows computers – servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authen ....
[Read More >>]
Amit Yoran, Chairman and CEO ,  Tenable
January 15, 2020
None of these questions change what organisations need to do at this point to protect themselves.
For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented. It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly. The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highl ....
[Read More >>]
Boris Cipot, Senior Sales Engineer ,  Synopsys
January 15, 2020
Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll.
This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems. We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea. We will be able to say more once the patch will be released. Users are advised to apply the patch for t ....
[Read More >>]
Ambuj Kumar, CEO ,  Fortanix
January 15, 2020
Elliptic curves have had a bad reputation.
Elliptic curves have had a bad reputation. Microsoft's disclosure today that "CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains" and not providing a root cause leaves many questions unanswered. It'll certainly not help with all the previous history of trustworthiness of ECC. ....
[Read More >>]
Saryu Nayyar, CEO,  Gurucul
January 15, 2020
These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers.
Unpatched vulnerabilities like this are actually some of the most dangerous types of cyber threats because they’re not known vulnerabilities and cannot be defended using conventional signature-based security tools. These sorts of vulnerabilities are also most likely to be exploited by advanced cyber criminals and nation-state attackers to carry out sophisticated attacks that many organisations a ....
[Read More >>]
Chris Hodson, CISO ,  Tanium
January 15, 2020
As we have learnt from attacks like WannaCry, the failure to patch known vulnerabilities can be devastating.
The Patch Tuesday update from Microsoft revealed a critical security vulnerability in its cryptographic library used by Windows 10, Server 2016, and Server 2019. An attacker could use this vulnerability to spoof a code-signing certificate, sign a malicious executable, and make it look like it was from a trusted source. An attacker could also conduct man-in-the-middle attacks against affected softw ....
[Read More >>]
Stuart Reed, UK Director,  Orange Cyberdefense
January 15, 2020
Actively ensuring the patch is deployed or monitoring the network more broadly.
The existence of this vulnerability serves as a reminder of just how important it is to have processes and technology in place that can act quickly. Whether it’s checking automatic updates are enabled, actively ensuring the patch is deployed or monitoring the network more broadly, as an operating system that it utilised by a large portion of organisations today, the scale and severity of this in ....
[Read More >>]
Renaud Deraison, Co-founder and CTO,  Tenable
January 15, 2020
CVE-2020-0601 hits at the very trust we have in today's digital computing environments.
CVE-2020-0601 hits at the very trust we have in today's digital computing environments -- trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can ....
[Read More >>]
Kevin Bocek, VP Security Strategy & Threat Intelligence,  Venafi
January 15, 2020
These vulnerabilities should remind us about the blind trust we have in cryptography and machine identities.
Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software. It’s good that Microsoft is treating this with urgency, any vulnerability with the core part of Windows is serious. In addition to your own certificates, there a ....
[Read More >>]
Pratik Savla, Senior Security Engineer ,  Venafi
January 15, 2020
Digital signature is one of the most important mechanisms Microsoft provides.
Digital signature is one of the most important mechanisms Microsoft provides. This process was created to prevent malicious payload distribution campaigns. Any compromise could spell significant trouble because attackers who are successful in spoofing code signing certificates can masquerade a malicious program as a legitimate Windows system binary. This weakness could be helpful in executing ....
[Read More >>]
Max Vetter, Chief Cyber Officer ,  Immersive Labs
January 15, 2020
Human capability in cyber security is such a valuable resource.
While this is clearly a massive vulnerability within Windows systems it is important to place this in the bigger picture. Just because the flaw was discovered by the NSA does not automatically elevate this threat to international levels, or that it presents a bigger risk to business than other threats. It is important to place the vulnerability in context, so that the highest threats are prioritis ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article