Security News

Swiss encryption machine company Crypto AG was secretly owned by the CIA and a West Germany spy agency at the height of the Cold War, according to explosive revelations in Swiss and German media today. Although rumours had swirled for decades around Crypto AG and the backdooring of its products by the West - cough, cough, NSA - and not forgetting careless remarks by former US prez Ronald Reagan, today's publications by Swiss broadcaster SRF and German broadcaster ZDF confirm those old suspicions.

The vulnerability is undoubtedly very serious, but in the days since its disclosure I have started to wonder if there is a silver lining to this cloud. First, it appears this vulnerability only affects the latest editions of Windows, including Windows 10, Windows Server 2016, Windows Server 2019 and their derivatives.

Exploits for Citrix ADC and Gateway flaw abound, attacks are ongoingWith several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day. January 2020 Patch Tuesday: Microsoft nukes Windows crypto flaw flagged by the NSAAs forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications.

Several industry professionals have shared thoughts with SecurityWeek about the vulnerability, its impact, and the possible reasons why the NSA disclosed it rather than using it in its own operations. "While this is a serious vulnerability that should be patched, there's no need to panic. When you look at the vulnerability and the number of affected systems, this does not reach the level of Heartbleed or WannaCry scenarios from the past. Also, our research shows that behavioral analysis of malware still detects malware as malicious, even if it's signed with an ostensibly legitimate certificate."

Two proof-of-concept exploits have been publicly released for the recently-patched crypto-spoofing vulnerability found by the National Security Agency and reported to Microsoft. The two PoC exploits were published to GitHub on Thursday.

Several proof-of-concept exploits have already been created - and some of them have been made public - for CVE-2020-0601, the crypto-related Windows vulnerability that Microsoft patched recently after being notified by the U.S. National Security Agency. Currently, there is no evidence that the vulnerability has been exploited in attacks, but PoC exploits have been created for CVE-2020-0601 much faster than many had anticipated.

A major Microsoft crypto-spoofing bug impacting Windows 10 made waves this Patch Tuesday, particularly as the flaw was found and reported by the U.S. National Security Agency. Microsoft's January Patch Tuesday security bulletin disclosed the "Important"-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data that are used to vouch for online services you use or files you load. Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser's address bar. The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority to sign your certificate to vouch for you; and your browser or operating system - in this case, Microsoft's CryptoAPI, vouches for the CA. Digital certificates considered important.

January Patch Tuesday tackles 50 bugs, with eight rated critical, all as it pushes out its last regular Windows 7 patches. A major crypto-spoofing bug impacting Windows 10 users has been fixed as part of Microsoft's January Patch Tuesday security bulletin.

As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications. The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI, which validates Elliptic Curve Cryptography certificates.