Security News > 2020 > January > January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by the NSA
As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.
The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI, which validates Elliptic Curve Cryptography certificates.
The security update fixes it and creates a new entry in the Windows event logs if an attacker attempts to use a forged certificate against a patched system.
It goes without saying that admins should prioritize this security update for Windows 10, Windows Server 2016 and 2019.
Users who still use Windows 7, Windows Server 2008 R2, and Windows Server 2008 are reminded once more that support for those ends today and that the patches for them released today, covering 22 CVEs, are the last they'll get for free.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/6xsDlL9LxAI/
Related news
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Windows Patch Tuesday hits snag with Citrix software, workarounds published (source)
- Microsoft says having a TPM is "non-negotiable" for Windows 11 (source)
- December 2024 Patch Tuesday forecast: The secure future initiative impact (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-14 | CVE-2020-0601 | Improper Certificate Validation vulnerability in multiple products A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. | 8.1 |