It's gonna be a big Patch Tuesday

  • 13 January 2020
  • 11 replies
  • 115 views

Userlevel 7

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Speculation is that it will be an update to crypt32.dll, the module that handles all certificate and cryptographic functions.

Make sure to get all the news and analysis here:

 

Webinar: Automating Patch Tuesday: January 2020

Join Richard Melick for a review of the first Patch Tuesday of 2020. He'll discuss Microsoft's updates, third-party security patches, and tips for automatically protecting your infrastructure from these vulnerabilities.


11 replies

Userlevel 7

And here’s the full story:

NSA found a dangerous Microsoft software flaw and alerted the firm — rather...

The disclosure represents a major shift in the agency’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools.

 

 

Badge

I can’t wait to hear about all the exploits in Windows 7 starting tomorrow.

Userlevel 7

Ironically, since the cryptographic update is for Windows 10 only, for today Windows 7 is the most secure OS in the Windows family.

Userlevel 7

And here’s the patch index page for today:

January 2020 Patch Tuesday Index

For the latest Patch Updates from Microsoft and third-party vendors, bookmark the Automox January 2020 Patch Tuesday Index, updated live throughout the day.

Userlevel 7

And here’s the ever hilarious analysis from The Register:

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows...

Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now

 

 

Userlevel 7

Here’s our blog breakdown:

Automox Patch Tuesday Breakdown: January 2020

Let Automox help break down the first Patch Tuesday of 2020. We cover critical updates from Microsoft as well as other third-party application releases that will help secure your environment.

Userlevel 7

We also got some good press around sharing our analysis and recommendations:

 

January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by...

January 2020 Patch Tuesday: the "star of the show" is a Windows flaw that could allow attackers to successfully spoof code-signing certificates.

Oracle Ties Previous All-Time Patch High with January Updates

The software giant patched 300+ bugs in its quarterly update.

U.S. Government Issues Critical Windows 10 ‘Update Now’ Alert

Multiple U.S. Government agencies are urging Windows 10 users to update as soon as possible.

 
Userlevel 7

In case you don’t follow Swift on Security, here’s their take on things:

 

SwiftOnSecurity (SwiftOnSecurity)

COMMENTARY ON CVE-2020-0601: I have been speaking to several players on this on background and there are a few things they want to highlight / clarify based on the public discourse so far.

Amitai Rottem @AmitaiTechie

Windows Defender Antivirus detects files w/crafted certificates exploiting the certificate validation vulnerability: ​Exploit:Win32/CVE-2020-0601.A (PE files) Exploit:Win32/CVE-2020-0601.B (Scripts) Also, #Microsoft Defender ATP has a threat report on your posture. #CVE-2020-0601 pic.twitter.com/dFqJV5za8F
 

 

Userlevel 7

More details on the proof of concept exploit:

Proof-of-concept exploits published for the Microsoft-NSA crypto bug | ZDNet

Two proof-of-concept exploits published for the CurveBall (CVE-2020-0601) vulnerability.

Userlevel 7

And the researchers used the proof of concept to rickroll the NSA:

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.

 

 

Userlevel 7

Looks like the patch is having problems for some people:

Microsoft releases critical Windows 10 security update – which doesn’t work

Another fail – and this time it’s serious

 

 

Has anyone run into this?

Reply