NSA Plays Key Role in Microsoft's January Security Updates
Microsoft's first security patch rollout of the year has the U.S. National Security Agency (NSA) playing a key supporting role.
All told, Microsoft is delivering patches this month for 49 common vulnerabilities and exploits (CVEs) across its products. Affected software, per the release notes, include Windows, Internet Explorer, Microsoft Office, .NET, OneDrive for Android and Microsoft Dynamics. Eight of the fixes are deemed "Critical," while 41 are rated "Important." These vulnerabilities weren't publicly disclosed beforehand, nor are any exploits known, Microsoft indicated.
No security advisories were released this month.
The show stealer for this month, though, is an Important patch for a Windows CryptoAPI spoof vulnerability (CVE-2020-0601). The vulnerability is present in Windows 10, Windows Server 2016 and Windows Server 2019 systems and was brought to Microsoft's attention by the NSA. Security writer Brian Krebs indicated on Monday that Microsoft's patch had been delivered to U.S. military organizations in advance, presumably because it breaks the trust functionality of digitally signed certificates.
Update 1/17: The SANS Institute has published Internet Storm Center analysis of CVE-2020-0601. It includes a link to test if users are subject to certificate spoofing when using the Internet Explorer or Microsoft Edge browsers. Mozilla Firefox browsers don't use Crypt32.dll, so they are not subject to the vulnerability. Google Chrome browsers can be vulnerable, but Google recently addressed the issue with a browser update, the researchers indicated.
According to Microsoft's CVE-2020-0601 security bulletin, "an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source."
For that reason and more, many security researchers are putting CVE-2020-0601 at the top of the patching priority list, even though it's just ranked Important by Microsoft. The patch notably will add an entry in Windows event logs if an exploit is tried.
"This [log addition] is significant and will help admins determine if they have been targeted," wrote Dustin Childs in a Trend Micro Zero Day Initiative post.
Organizations shouldn't delay in patching the CVE-2020-0601 vulnerability, according to Tim Mackey, a principal security strategist at Synopsys, a provider of semiconductor design solutions, in an e-mailed comment:
The underlying component, crypt32.dll is used for all digital signatures on Windows computers -- servers and desktops. This is the component which helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items. Exploitation of this vulnerability will allow an attacker to bypass the trust of all network connections on Windows 10 and Windows Server 2016/2019 systems, or those referencing them
Security researcher Kevin Beaumont offered "don't panic" advice on CVE-2020-0601. He noted in a Jan. 13 Twitter post that few organizations typically "use digital signatures as a key security boundary control."
"Patch your Citrix, Fortigate, Pulse Secure SSL VPN boxes and your 11 month old SharePoint vuln," Beaumont added, regarding IT patch priorities. "And turn off SMB1."
A critical remote code execution vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (formerly known as "NetScaler ADC"), as well as Citrix Gateway (formerly "NetScaler Gateway"), is getting highlighted by security researchers as being "one of the most dangerous bugs disclosed in recent years," according to Trend Micro. Citrix released an advisory for it in December but there's no patch for it, and Citrix may have disclosed too much about it, according to a post by David Kennedy of security consulting firm TrustedSec.
"TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner," Kennedy wrote.
At best, organizations can follow Citrix's mitigation steps.
CISA has published a utility to check if the Citrix solutions are subject to the vulnerability.
Other Critical Fixes
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put the spotlight on three critical Windows Remote Desktop Protocol (RDP) vulnerabilities this month. The vulnerabilities, CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 affect the Windows Remote Desktop client and the RDP Gateway Server for possible remote code execution attacks. Attackers don't need to be authenticated on a network to carry out attacks. They just need to direct a user to a "malicious server," the CISA's announcement explained.
"CISA strongly recommends organizations install these critical patches as soon as possible -- prioritize patching by starting with mission critical systems, internet-facing systems, and networked servers," the CISA indicated. "Organizations should then prioritize patching other affected information technology/operational technology (IT/OT) assets."
Other notable Critical vulnerabilities affect .NET and ASP.NET in Windows systems. CVE-2020-0603, CVE-2020-0605, CVE-2020-0606 and CVE-2020-0646 all address memory-handling issues that can lead to remote code execution attacks if a user opens a "specially crafted file," according to Jon Munshaw in a Cisco Talos post.
There's also a memory corruption vulnerability in the Internet Explorer browser that could be used to execute code via Web pages, which is getting addressed by the Critical patch for CVE-2020-0640, Munshaw noted.
Windows End of Support
Perhaps the biggest news for IT pros, though, is Tuesday's end of support for Windows 7 and Windows Server 2008/R2, as noted by Todd Schell, a senior product manager for security at Ivanti, in e-mailed patch commentary. Organizations continuing to run those operating systems should use Microsoft's Extended Security Updates program to continue to receive security updates, he suggested. Doing so likely requires having the latest Servicing Stack Updates installed, he added.
Schell also advised IT organizations to ensure that Windows systems are updated to use SHA2 code signing.
Schell offered the following checklist of mitigation options for organizations continuing to run Windows 7 or Windows Server 2008/R2 but not using Extended Security Updates:
- Get systems up to January 2020 patch levels.
- Virtualize workloads and reduce access to these systems to essential personnel only.
- Remove direct internet access from these systems.
- Segregate these systems into a separate network segment than other systems.
- Layer additional security controls on these systems. Locked down application control policies to prevent running anything other than the critical applications that rely on the legacy OS, etc.
Those approaches likely aren't ideal, of course.
More Ivanti commentary can be found in its Patch Tuesday webinars, with the next one scheduled for Jan. 15.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.