Saltar al contenido

Patch Tuesday Aftermath: NSA Crypt32 Threat is Real, But Not Yet Imminent

The mess behind the UEFI patch Microsoft KB 4524244

In one of the most watched Patch Tuesday, Microsoft yesterday released security patches for all recent versions of Windows. The star of the show: a security hole contributed by the NSA. As of Wednesday morning, there is at least one Crypt32 attack in sight, but it is far from terrifying.

Get ready for the weather reporter at your local news station to begin your lecture on the importance of Windows fixes.

Yesterday I had an amazing Patch Tuesday. «Notable» in particular in the sense that the US National Security Agency has decided to publish a press release (PDF):

The NSA recommends installing all patches on the Patch on Tuesday, January 2020 as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.

This is the first time. So far, the NSA has never publicly acknowledged its contributions to Microsoft’s correction efforts, nor has it taken the whip on Microsoft’s correction unit. Security guru Brian Krebs attributes this to a change in thinking at the NSA:

Sources say the NSA’s disclosure is planned to be the first of many as part of a new NSA initiative called «Transform a New Leaf,» which aims to provide investors with more investigations into the agency’s vulnerabilities. .

Krebs has an excellent overview of the security hole, loaded with several stunning analogies. Get the technical details of the vulnerability in Kenneth White’s Microsoft Chain of Fools exhibit. If you haven’t been inundated with half-quick explanations yet, rest assured that all the media in the world are in the process of digesting and regurgitating the complexity of CryptoAPI and Elliptic Curve Cryptography certificates.

What does all this mean? If someone can solve the problem CVE-2020-0601, he will be able to create programs that seem to come from a reliable source. This is a scary possibility, but it is a long way from a third degree polynomial to a functional ransomware.

And no, CVE-2020-0601 cannot be used to enter the Windows Update string.

Early Wednesday morning, at least one top hacker created a functional «Proof of Concept» exploit. Casey Smith (@subTee) has a PoC, but is not yet ready for large-scale launch. As Kevin Beaumont says, «It’s not practical to scale for many reasons.»

So, with everyone, the NSA, “Softii, your weather forecast, the early but smelly, nine-year-old baby of your hairdresser’s boyfriend, recommending you to apply the patch NOW, why wait?

Because there are problems with this month’s Win10 patches.

Errors always take time to occur. This month is no different. Early Wednesday morning, I see many reports of problems installing patches, the same problems I had for many years. Nobody knows if there are some darker problems lurking and it’s still too early to tell.

For now, I recommend that you keep all Patch Tuesday patches away, until we have a chance to see what other surprises await us. This rating can change quickly, so stay tuned.

If you are responsible for Server 2012, 2012 R2, 2016 and / or 2019 systems, there is a much bigger issue that you have to face right now. Two of the correct security holes this month, CVE-2020-0609 and CVE-2020-0610, reveal a security hole in the Windows remote desktop gateway, RDgateway, that will allow anyone to enter your system if you log in. through port 443. As a patch Lady Susan Bradley says:

If you are an IT consultant or administrator with an Essentials 2012 server (or later) or use the RDgateway feature and expose it through port 443 to allow users to access RDweb or their desktops, forget about crypt32 error. Dll. This is one to worry about.

January patches should be the top priority for this active security hole. And, of course, if you’re using Pulse Connect Secure VPN or a Citrix Gateway / ADC / NetScaler box, you’ve already blocked (or disconnected) it, haven’t you?

This month we had almost no «quality updates» other than security, ie bug fixes. With a few annoying exceptions (one in Win10 version 1809), none of this month’s Windows patches include documented fixes that are not security. In fact, I’ve seen very few unsecured patches since October.

All this highlights a continuing problem with the «as a service» method of grouping all patches for the month into a single large quantity. If we had separate Crypt32 and RDgateway patches, people might choose to fix the big holes while waiting for bug reports from the small ones.

If desires were horses, hackers would ride.