The new year is here, and it traditionally brings with it the opportunity to start over, to clear the slate and do things differently. If you’re an IT pro and you’ve been lax in applying security updates in 2019, this is the perfect time to make a New Year’s resolution to stay on top of those patches as we move into the brand new roaring 20s.
It’s also a good time for me, as a security analyst and writer, to step back and assess my approach to covering the security update news each month. Microsoft has changed its way of issuing patches over the last few years, and it’s time for a new way of reporting on those updates. There are several other sites that do monthly summaries of the Patch Releases, and providing the same old list of KBs and CVEs probably isn’t the most useful tactic. After all, you can find that information in Microsoft’s own Security Update Guide and even download it in spreadsheet format or sort and filter it on the site.
So this year, in the Patch Tuesday article, instead of a list of links, I’m going to address in more detail the information of interest regarding the most relevant vulnerabilities and their fixes. I hope this adds more value.
Along with some nasty weather in parts of the U.S. and rough seas in the Caribbean, this January brings us a fairly heavy slate of patches, with twenty-nine vulnerabilities addressed in Windows 10, twenty-three in Windows 8.1, and eighteen in Windows 7 (for which this will be the last set of regular security updates – more on that later). One of these in particular is making headlines, and is the reason that this month it’s more important than ever to install the updates as soon as possible.
Let’s look first at the high-profile vulnerability in Windows that’s been all over the news today with the release of the patch for it.
Critical Crypt32.ddl vulnerability
Most Patch Tuesdays come and go without much notice in the mainstream press. Now and then, though, a vulnerability is serious enough to capture the attention of such publications as Forbes and the Washington Post, and that’s the case as we kick off 2020.
CVE-2020-0601 is the Windows CryptoAPI spoofing vulnerability in Windows 10, Server 2016 and Server 2019 that is causing all the uproar. More specifically, this is an issue that stems from the way Windows CryptoAPI (crypt32dll) validates Elliptic Curve Cryptography (ECC) certificates.
As you probably know, ECC is a type of cryptography that is faster, more scalable, requires less processing power, and provides stronger encryption than traditional SSL (Secure Sockets Layer)/TLS (Transport Layer Security) encryption. Digital certificates that use ECC signature algorithms offer obvious advantages.
This vulnerability was reportedly discovered by cybersecurity team members at the National Security Agency (NSA), who reported it to Microsoft. The vulnerability could be exploited by an attacker who could use a spoofed code-signing certificate to make a malware file appear to come from a trusted source. Code signing uses a digital signature based on a certificate to verify the identity of the author of an executable program or script so users know that the software is trustworthy. Thus a malicious executable such as ransomware or spyware could be passed off as legitimate. An attacker could also use the vulnerability to decrypt confidential information in the user connections to the software.
According to the NSA’s statement, “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.” One of the things that makes this vulnerability so serious is the potential for attackers to conduct man-in-the-middle attacks and compromise communications channels that are seen as trustworthy, enabling modification of communications in banking, critical infrastructure control, or government systems, among others.
Microsoft is said to have provided the patch to U.S. government agencies and the military prior to its public release on Patch Tuesday. Security expert Brian Krebs foreshadowed the release the day before it was officially made public. Microsoft reportedly has not seen exploits of the vulnerability in the wild as of January 14, but now that it’s public knowledge, it’s crucial to get all vulnerable systems updated. This includes all builds of Windows 10, 32- and 64-bit versions and Server 2016 and 2019, including the server core installations.
After you’ve applied the update, if there is an attempt to exploit the vulnerability, an Event ID 1 will be generated in the Event Viewer, as shown in the FAQ section of the advisory.
Critical Remote Desktop Client RCE vulnerability
While CVE-2020-0601 is getting most of the publicity, another critical vulnerability – a remote code execution vulnerability in the Windows Remote Desktop client component – affects all of the currently supported versions of Windows client and server operating systems, including Windows RT 8.1 and the server core installations of the Server OSes. The problem is the way the RDP client handles connection requests.
CVE-2020-0611 is more difficult to exploit, though, as it depends on the client connecting to a malicious server. Thus the attacker would have to control said server and would have to convince the user to connect to it. Microsoft reports that there have been no cases detected of this vulnerability being exploited in the wild, and it was not publicly disclosed prior to issuance of the patch.
Critical Remote Desktop Gateway (RD Gateway) RCE vulnerability
Remote Desktop Gateway is a service built into Windows Server that enables remote computers running the RDP client to securely connect to an organization’s Windows computers on the corporate network, without needing to set up a Virtual Private Network (VPN).
CVE-2020-0609 is a vulnerability in this service that could be exploited to execute arbitrary code on the targeted system, by connecting to a targeted system via RDP and sending a specially crafted request to the RD Gateway. This vulnerability exists in Windows Server versions 2012, 2012R2, 2016, and 2019. Microsoft has not detected any instances of it being exploited in the wild and it was not publicly disclosed prior to release of the patch.
Critical Memory Corruption Vulnerability in Internet Explorer
According to NetMarketShare.com’s web browser statistics, as of December 2019 Internet Explorer had less than 8% of the browser market, with Google’s Chrome way out in front with more than 67%. Nonetheless, Internet Explorer is installed on a large number of Windows machines, so this RCE vulnerability is worth mentioning.
CVE-2020-0640 is a vulnerability that affects all currently supported versions of Internet Explorer. When IE improperly accesses objects in memory, the vulnerability can cause memory corruption that an attacker could exploit to execute arbitrary code. An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted content that could exploit the vulnerability.
The likelihood of exploitation is relatively low for this one, given the fact that the attacker would have to find a way to convince an IE user to visit the compromised or malicious web site. Microsoft has not detected any instances of it being exploited in the wild, and it was not publicly disclosed prior to release of the patch. Nevertheless, if you have computers in your organization running IE version 9,10, or 11, they need to be updated to protect against this one.
Last call for security updates to Windows 7
As we noted in last month’s Patch Tuesday article, this month’s updates are the last ones for Windows 7, which is now at end-of-life with extended support expiring January 14. Unfortunately, even though the OS is now ten years old (which means in software years, as in dog years, it’s elderly), there are still millions of computers out there running it.
Kaspersky’s research indicates that 48% – almost half – of small, medium, and enterprise businesses are still running operating systems that have reached end-of-life. Windows 7 makes up the largest percentage of that, by far. According to NetMarketShare.com’s OS statistics, as of December 2019 Windows 7 still had almost 38% of the client operating system market.
In addition to the discontinuation of security and feature updates and bug fixes, Microsoft technical support will no longer be available. Windows 7 will continue to run as usual, but as time goes on the risk will only increase. Unfortunately, Microsoft’s offer of a free upgrade to Windows 10 ended back in 2016, so it’s now necessary to purchase the full version. Another dilemma here is that Windows 10 may not be able to run reliably on some very old computers, so that may necessitate buying new hardware, as well.
If your organization has Windows 7 systems currently in operation, it’s essential to devise a plan to move to a new and more secure OS. If your company falls under regulatory compliance requirements, continuing to run an unsupported operating system may cause you to be out of compliance. Remember that today, with such broad-scope laws as the European Union’s General Data Protection Regulation (GDPR) and California’s new Consumer Privacy Act (CCPA), most organizations are impacted.
Even if regulatory compliance isn’t an issue for you, running systems connected to the Internet without the protection of security updates not only puts your own data at risk, but also that of your customers, vendors, partners, and others with whom you communicate electronically. Windows 7 was a great operating system in its day, but no matter how much you love it, it’s time to let it go.