Critical Vulnerabilities in Microsoft Windows Operating System

Published on 15 Jan 2020

Updated on 15 Jan 2020

Overview

Microsoft has released security patches to address critical vulnerabilities in its Operating Systems (OS) on 15 January 2020 (Singapore Time). Among them, four of the vulnerabilities (CVE-2020-0601, CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611) are highly critical and require immediate prioritisation and attention:

 

Windows CryptoAPI Spoofing Vulnerability

CVE-2020-0601 - This vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a forged code-signing certificate to sign an executable file, making it appear that the file was from a trusted, legitimate source. The system or user would have no way of knowing the file was not legitimate, because the digital signature would appear to be from a trusted provider.

 

The security update addresses the vulnerability by ensuring that the Windows CryptoAPI validates the ECC certificates. After applying the patch, the user would be able to detect the usage of forged certificates via the Windows Event Logs. Refer to Microsoft's release note for more details on how to identify forged certificates that exploit this vulnerability.

 

Windows Remote Desktop Protocol (RDP) Vulnerabilities

•            CVE-2020-0609, CVE-2020-0610 - These two vulnerabilities exist in the Windows RDP Gateway Server, where they allow a pre-authenticated attacker to connect to a targeted system via RDP and sends crafted requests to trigger the execution of arbitrary code on the target system.

•            CVE-2020-0611 - This vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server.

 

For the full list of security patches released by Microsoft, please visit https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

 

Affected Products

CVE-2020-0601

•            Microsoft Windows 10 (32 and 64 bit)

•            Microsoft Windows Server 2016

•            Microsoft Windows Server 2019

 

CVE-2020-0609, CVE-2020-0610

•            Microsoft Windows Server 2012

•            Microsoft Windows Server 2016

•            Microsoft Windows Server 2019

 

CVE-2020-0611

•            Microsoft Windows 7 (32 and 64 bit)

•            Microsoft Windows 8.1 (32 and 64 bit)

•            Microsoft Windows 10 (32 and 64 bit)

•            Microsoft Windows Server 2008

•            Microsoft Windows Server 2012

•            Microsoft Windows Server 2016

•            Microsoft Windows Server 2019

 

Impact

CVE-2020-0601

Successful exploitation of this vulnerability could allow attackers to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

 

CVE-2020-0609, CVE-2020-0610, CVE-2020-0611

Successful exploitation of these vulnerabilities could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programmes, the creation of rogue administrator accounts and to view, change or delete data.

 

Recommendation

Users and system administrators of affected products are strongly encouraged to install the security updates, with priority for the above critical vulnerabilities immediately.

 

References

https://www.us-cert.gov/ncas/alerts/aa20-014a

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan

https://kb.cert.org/vuls/id/849224/

https://kb.cert.org/vuls/id/491944