Ominous Black Windows Keyboard Key and Keyboard

In the first Patch Tuesday of 2020, Microsoft has released a new patch for a serious Windows vulnerability, CVE-2020-0601, or the Windows CryptoAPI Spoofing Vulnerability. The vulnerability has grave implications for machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. Let’s explore how and why the patch is important for all organizations to heed.

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” according to Microsoft’s statement. “An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”

The U.S. National Security Agency (NSA) was credited, for the first time, with discovering the vulnerability.

Experts say this vulnerability could have far-reaching security implications for important Windows functions such as desktop and server authentication, sensitive data protection managed by Microsoft’s Internet Explorer/Edge browsers, and the multitude of third-party applications and tools connected to Windows. Of equal concern, noted Brian Krebs of, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

“While there have not been any exploits found of the vulnerability in the wild, this is exactly the kind of vulnerability that attackers are expected to take advantage of,” said Dr. Kiri Addison, Head of Data Science for Threat Intelligence & Overwatch at Mimecast.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

“This exploit can most definitely be used to spoof code signing certificates to impersonate trusted and legitimate sources,” said Meni Farjon, Chief Scientist of Advanced Malware Detection at Mimecast. “In other words – an attacker could essentially make their trojans signed and verified by trusted entities, therefor evading detection, using this spoofing vulnerability.”

The NSA has issued a statement advising users to update, with guidance on how to mitigate risk and prioritize updates across environments with the affected software. Now that the news has been widely shared, it’s likely attackers may try to take advantage of users who haven’t implemented the patch, since patches can take some time to be broadly executed at the enterprise level. In addition, using a third-party or unaccredited patch may open users up to greater threats from cybercriminals – it’s best to work directly through Microsoft’s patch instructions.

As with any serious vulnerability such as this one, Mimecast urges organizations and individuals to patch as soon as possible using official updates from Microsoft.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Criminals Target American Infrastructure with Phishing and Malware

Enterprise networks throughout the…

Enterprise networks throughout the United States … Read More >

Sarah Rollman

by Sarah Rollman

Posted Jan 09, 2020

Mimecast Discovers MDB Leaker: Microsoft Access Vulnerability CVE-2019…

The Security Implications of an Apparent…

The Security Implications of an Apparent Memory Leak in the … Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Jan 06, 2020

4 Requirements to Protect Your Brand Against Exploits

The increasingly digital global economy …

The increasingly digital global economy has created a &ldquo… Read More >

Dan Sloshberg

by Dan Sloshberg

Sr. Product Marketing Director

Posted Jan 06, 2020