Updated Jan. 14 to add official Microsoft description of the flaw. Earlier updates added Microsoft comments, Twitter gossip, NSA comments and CVE number. This story was originally published Jan. 13.
Microsoft today fixed a Windows security flaw that independent information-security report Brian Krebs had yesterday (Jan. 13) described as "an extraordinarily serious security vulnerability."
If and when you're prompted by your PC to update your machine -- and you probably will be by tomorrow morning -- you should do so ASAP.
"The consequences of not patching the vulnerability are severe and widespread," the National Security Agency wrote in an advisory. "Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."
The flaw exists in all versions of Windows 10, plus Windows Server versions 2016 and 2019. Windows 7, which gets its last security updates today, and Windows 8.1 do not appear to be affected.
Now that we've seen Microsoft's explanation of the vulnerability, it is indeed very serious, although Microsoft puzzlingly classifies it as "Important" rather than "Critical."
That would imply that the flaw cannot be exploited without user approval, intentional or not, and that it cannot be exploited remotely, e.g. directly over the internet.
For what it's worth, the NSA, which Microsoft credited with finding the flaw, deemed it critical.
The flaw "is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust," wrote Neal Ziring of the NSA's Cybersecurity Directorate in an NSA blog posting. "The vulnerability permits an attacker to craft PKI certificates to spoof trusted identities, such as individuals, web sites, software companies, service providers, or others."
"This vulnerability may not seem flashy, but it is a critical issue," Ziring added. "Trust mechanisms are the foundations on which the Internet operates – and [this flaw] permits a sophisticated threat actor to subvert those very foundations."
Dead man's elliptical curve
The flaw lies "in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," Microsoft wrote in its advisory.
We won't bore you with the technical details of elliptic-curve cryptography, but suffice it to say that "an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source."
In other words, a hacker could get you to download and install malware that pretended to be something benign, such as a software update, and Microsoft and even the best antivirus software would be none the wiser due to the spoofed digital signature.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft added. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software."
That means that hackers could intercept and alter secure internet communications, including software updates and possibly even encrypted messages, depending on how the messaging software used Microsoft's own encryption tools.
"It's not hard to imagine how attackers could employ this tactic," wrote Dustin Childs, a former Microsoft security analyst, in a blog post for Trend Micro's Zero Day Initiative. "For example, ransomware or other spyware is much easier to install when it appears to have a valid certificate."
Other vulnerabilities fixed by Microsoft in the January 2020 Patch Tuesday updates include several remote-code-execution bugs in Excel, potential information leaks in the ways Windows handles graphics components and log files, and even a flaw in the OneDrive app for Android.
'Turn a new leaf'
Earlier today, Anne Neuberger, head of the NSA's Cybersecurity Directorate, said in a conference call with reporters that the NSA had reported the flaw to Microsoft, according to Krebs. She added that Microsoft had seen no active exploits of the vulnerability yet.
Krebs said the NSA personnel on the call would not say exactly when the NSA had discovered the flaw.
It's possible that the NSA used the flaw itself for some time in so-called "tailored access operations," although two stories today from The Washington Post and The New York Times pushed the angle, provided by anonymous sources, that the NSA had selflessly given Microsoft the information instead of exploiting it.
Krebs, too, said he had heard that this disclosure to Microsoft was part of a new initiative within the agency called "Turn a New Leaf," aimed at showcasing the NSA's defensive-security side.
Krebs' early sources were right that the flaw lies in crypt32.dll, which handles core cryptographic and certification functions. He added that the U.S. military and high-value private organizations had already been given the patch under strict secrecy.
The flaw was given the Common Vulnerability and Exposures catalog number CVE-2020-0601, echoing a tweet yesterday by Mac hacker Patrick Wardle. A sharp-eyed Twitter user noticed that that CVE was addressed today in a malware-definition update pushed out to Microsoft's antivirus software packages, Windows Defender and Microsoft Security Essentials.
Will Dormann, a vulnerability analyst at the Computer Emergency Response Team Coordination Center (CERT/CC), which is operated by Carnegie Mellon University in Pittsburgh at the behest of the Pentagon, posted a cryptic remark on Twitter yesterday.
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.I don't know... just call it a hunch?¯\_(ツ)_/¯January 13, 2020
"I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others," Dormann wrote. "I don't know... just call it a hunch?"
Don’t panic re this one. https://t.co/ZAQvAPplK2January 13, 2020
"Don't panic re this one," Beaumont simply said.
This Patch Tuesday is also noteworthy because it's (probably) the last time that Windows 7 will get a security update. The 10-year-old operating system officially reaches end-of-life tomorrow, although it will get this extraordinarily serious patch, whatever it turns out to be.
If you're still running Windows 7, here's how to live with Windows 7 past tomorrow, and here's how to update from Windows 7 to Windows 10 for free.