Microsoft Issues Windows CryptoAPI / CVE-2020-0601 Patch

In the first Patch Tuesday of 2020, Microsoft has released a new patch for a serious Windows vulnerability, CVE-2020-0601, or the Windows CryptoAPI Spoofing Vulnerability. The vulnerability has grave implications for machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. Let’s explore how and why the patch is important for all organizations to heed.

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” according to Microsoft’s statement. “An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”

The U.S. National Security Agency (NSA) was credited, for the first time, with discovering the vulnerability.

Experts say this vulnerability could have far-reaching security implications for important Windows functions such as desktop and server authentication, sensitive data protection managed by Microsoft’s Internet Explorer/Edge browsers, and the multitude of third-party applications and tools connected to Windows. Of equal concern, noted Brian Krebs of KrebsOnSecurity.com, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

“While there have not been any exploits found of the vulnerability in the wild, this is exactly the kind of vulnerability that attackers are expected to take advantage of,” said Dr. Kiri Addison, Head of Data Science for Threat Intelligence & Overwatch at Mimecast.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

“This exploit can most definitely be used to spoof code signing certificates to impersonate trusted and legitimate sources,” said Meni Farjon, Chief Scientist of Advanced Malware Detection at Mimecast. “In other words – an attacker could essentially make their trojans signed and verified by trusted entities, therefor evading detection, using this spoofing vulnerability.”

The NSA has issued a statement advising users to update, with guidance on how to mitigate risk and prioritize updates across environments with the affected software. Now that the news has been widely shared, it’s likely attackers may try to take advantage of users who haven’t implemented the patch, since patches can take some time to be broadly executed at the enterprise level. In addition, using a third-party or unaccredited patch may open users up to greater threats from cybercriminals – it’s best to work directly through Microsoft’s patch instructions.

As with any serious vulnerability such as this one, Mimecast urges organizations and individuals to patch as soon as possible using official updates from Microsoft.