Skip to main content

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Speculation is that it will be an update to crypt32.dll, the module that handles all certificate and cryptographic functions.

Make sure to get all the news and analysis here:

 

Webinar: Automating Patch Tuesday: January 2020

Join Richard Melick for a review of the first Patch Tuesday of 2020. He'll discuss Microsoft's updates, third-party security patches, and tips for automatically protecting your infrastructure from these vulnerabilities.

And here’s the full story:

NSA found a dangerous Microsoft software flaw and alerted the firm — rather...

The disclosure represents a major shift in the agency’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools.

 

 


I can’t wait to hear about all the exploits in Windows 7 starting tomorrow.


Ironically, since the cryptographic update is for Windows 10 only, for today Windows 7 is the most secure OS in the Windows family.


And here’s the patch index page for today:

January 2020 Patch Tuesday Index

For the latest Patch Updates from Microsoft and third-party vendors, bookmark the Automox January 2020 Patch Tuesday Index, updated live throughout the day.


And here’s the ever hilarious analysis from The Register:

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows...

Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now

 

 


Here’s our blog breakdown:

Automox Patch Tuesday Breakdown: January 2020

Let Automox help break down the first Patch Tuesday of 2020. We cover critical updates from Microsoft as well as other third-party application releases that will help secure your environment.


We also got some good press around sharing our analysis and recommendations:

 

January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by...

January 2020 Patch Tuesday: the "star of the show" is a Windows flaw that could allow attackers to successfully spoof code-signing certificates.

Oracle Ties Previous All-Time Patch High with January Updates

The software giant patched 300+ bugs in its quarterly update.

U.S. Government Issues Critical Windows 10 ‘Update Now’ Alert

Multiple U.S. Government agencies are urging Windows 10 users to update as soon as possible.

 

In case you don’t follow Swift on Security, here’s their take on things:

 

SwiftOnSecurity (SwiftOnSecurity)

COMMENTARY ON CVE-2020-0601: I have been speaking to several players on this on background and there are a few things they want to highlight / clarify based on the public discourse so far.

Amitai Rottem @AmitaiTechie

Windows Defender Antivirus detects files w/crafted certificates exploiting the certificate validation vulnerability: ​Exploit:Win32/CVE-2020-0601.A (PE files) Exploit:Win32/CVE-2020-0601.B (Scripts) Also, #Microsoft Defender ATP has a threat report on your posture. #CVE-2020-0601 pic.twitter.com/dFqJV5za8F
 

 


More details on the proof of concept exploit:

Proof-of-concept exploits published for the Microsoft-NSA crypto bug | ZDNet

Two proof-of-concept exploits published for the CurveBall (CVE-2020-0601) vulnerability.


And the researchers used the proof of concept to rickroll the NSA:

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.

 

 


Looks like the patch is having problems for some people:

Microsoft releases critical Windows 10 security update – which doesn’t work

Another fail – and this time it’s serious

 

 

Has anyone run into this?


Reply