Patch and protect against the Windows cryptographic vulnerability with Microsoft Defender ATP

January 2020’s security update release for Windows 10 and Windows Server 2016/2019 contains an important fix for “a broad cryptographic vulnerability” that impacts the Windows Operating system.

This warrants attention – the vulnerability discovered is severe enough that the United States National Security Agency (NSA) have issued a Cybersecurity Advisory, and the United States Department of Homeland Security have issued an Emergency Directive, both directing organisations to patch this flaw as soon as possible.

What is the Windows CryptoAPI vulnerability?

The vulnerability first identified by the NSA (CVE-2020-0601), impacts the Windows CryptoAPI. This is a core component of the Windows operating system that handles cryptographic operations.

The identified vulnerability specifically relates to the way that the CryptoAPI component validates Elliptic Curve Cryptography (ECC certificates).

Why is this important?

Windows relies on trusting code-signing certificates to determine whether to run an application or executable.

If an attacker can now compromise the root of trust for applications, then the potential exists for this vulnerability to be exploited to allow malicious software with spoofed code-signing certificates to run on an endpoint – thereby bypassing the underlying certificate trust-based protection mechanisms built into the operating system.

Successful exploitation of this flaw can also allow a malicious actor to conduct man-in-the-middle attacks and decrypt confidential information on user connections to affected software.

The NSA have deemed this vulnerability to be so serious, they provided advance notice of the issue to critical infrastructure providers within the United States prior to the patch being released.

What operating systems are affected?

The following operating systems are impacted by the identified flaw:

• Windows 10
• Windows Server 2016
• Windows Server 2016 (server core installation)
• Windows Server 2019
• Windows Server 2019 (server core installation)
• Windows Server, version 1803 (server core installation)
• Windows Server, version 1903 (server core installation)
• Windows Server, version 1909 (server core installation)

What do I need to do?

Microsoft have released a patch to address the vulnerability.

All customers are urged to apply January’s security updates as soon as possible.

What are the ramifications if I don’t act?

Microsoft have not yet seen active exploitation of this flaw in the wild, so have marked the patch as “Important” rather than the highest “Critical” level used for major security flaws. However, the NSA states that:

“The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”

Detecting and protecting – Microsoft Defender Advanced Threat Protection

As you would expect from recognised leaders in endpoint protection, Microsoft immediately deployed updated protection and alerting mechanisms to Microsoft Defender Advanced Threat Protection (MDATP).

This includes:

• Detection of files with crafted certificates that exploit the certificate validation vulnerability.
• Updated behavioural-based detections to identify possible exploitation attempts.
• Threat and vulnerability management capabilities updated to discover and remediate this vulnerability on endpoints.
• Access to an in-depth threat analytics report providing the following information: Technical details; detection and mitigation information; advanced hunting queries to proactively hunt for exploitation.

Useful links

For more information about this vulnerability, visit the Microsoft website.

To find out more about Microsoft Defender Advanced Threat Protection, watch our on-demand webinar.