Vulnerabilities that are considered dangerous get the rating of Critical from Microsoft.
In a statement issued on Tuesday, the NSA's Neal Ziring, technical director of the agency's Cyber Security Directorate, said CVE-2020-0601 was a serious bug because it could be exploited to undermine public key infrastructure trust.
"The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, Websites, software companies, service providers, or others," Ziring said.
"Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them."
"The NSA did a big press tour... before announcement so expect big media play."
There’s some incentives around press coverage, vendor scares etc, along with tribalism and human condition concerns. My take; ignore it all, keep calm, carry on and do the needful.— Kevin Beaumont (@GossiTheDog) January 14, 2020
He was referring to a leak to former Washington Post employee Brian Krebs who writes a blog about security issues. Krebs had a story up on Tuesday AEST in which he said the bug would affect all versions of Windows, something which turned out to be incorrect. The flaw only affects Windows 10, Windows Server 2019 and Windows Server 2016.
Pwn All The Things actually read the advisory here, which I would suggest more people do. The vulnerability is specifically about *ECC verification*, and the scope is much more nuanced and smaller than some InfoSec vendors will have you believe. https://t.co/2yS3mjbDHA— Kevin Beaumont (@GossiTheDog) January 14, 2020
Another security researcher, who goes by the moniker Pwn All The Things, appeared to agree with Beaumont's assessment, posting this: "The NSA advisory explicitly says it's a bug in ECC verification and says to look for attackers using truncated curves rather than the named ones, so the RSA signatures on the WU CAB files will be fine."
The NSA's post led to some speculation that the agency was publicising the fact that it had found such a bug and not kept it quiet but rather disclosed it to Microsoft as a PR stunt.
“NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.” Is this whole thing just a public relations move for NSA to earn points after EternalBlue debacle?— Kim Zetter (@KimZetter) January 14, 2020
Freelance journalist Kim Zetter raised the question thus: "NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer. Is this whole thing just a public relations move for NSA to earn points after EternalBlue debacle?"
EternalBlue is an exploit that was leaked from the NSA in 2016 by an unknown group named the Shadow Brokers. It has been used in a number of major attacks, most notably the WannaCry ransomware, and has led to a good deal of criticism about the way the NSA's security set-up.
Commenting on the NSA's announcement, Chris Morales, head of security analytics at Vectra AI, said: "Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting. I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past.
"It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."
With Spectre we had all kinds of people saying they could “easily” get RCE and such with it. I replied to all those at the time saying cool, produce evidence. Nobody did. It’s very easy to make up theoreticals with this; proof of things is well worth investing time in.— Kevin Beaumont (@GossiTheDog) January 14, 2020
Renaud Deraison, co-founder and chief technology officer of security firm Tenable, commented: "CVE-2020-0601 hits at the very trust we have in today's digital computing environments – trust to authenticate binaries and trust that our ciphered communications are properly protected.
"The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source.
"You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organisations that do not patch their systems quickly.
"The NSA's responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector co-ordination."