Security Market Segment LS
Wednesday, 15 January 2020 11:13

NSA issues note about Windows bug, company rates it second in severity Featured

By
NSA issues note about Windows bug, company rates it second in severity Pixabay

Microsoft has released a patch for a vulnerability in crypt32.dll, a library used for authentication, a flaw it rates important, the second rank on its severity rating list, but which the NSA has seen fit to issue an advisory about, something the agency never does.

Vulnerabilities that are considered dangerous get the rating of Critical from Microsoft.

In a statement issued on Tuesday, the NSA's Neal Ziring, technical director of the agency's Cyber Security Directorate, said CVE-2020-0601 was a serious bug because it could be exploited to undermine public key infrastructure trust.

"The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, Websites, software companies, service providers, or others," Ziring said.

"Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them."

British security researcher Kevin Beaumont described the bug in this manner: "It’s only rated Important; it’s a spoofing issue; to get RCE with it you would need auth, and to have code exec already.

"The NSA did a big press tour... before announcement so expect big media play."

He was referring to a leak to former Washington Post employee Brian Krebs who writes a blog about security issues. Krebs had a story up on Tuesday AEST in which he said the bug would affect all versions of Windows, something which turned out to be incorrect. The flaw only affects Windows 10, Windows Server 2019 and Windows Server 2016.

Another security researcher, who goes by the moniker Pwn All The Things, appeared to agree with Beaumont's assessment, posting this: "The NSA advisory explicitly says it's a bug in ECC verification and says to look for attackers using truncated curves rather than the named ones, so the RSA signatures on the WU CAB files will be fine."

The NSA's post led to some speculation that the agency was publicising the fact that it had found such a bug and not kept it quiet but rather disclosed it to Microsoft as a PR stunt.

Freelance journalist Kim Zetter raised the question thus: "NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer. Is this whole thing just a public relations move for NSA to earn points after EternalBlue debacle?"

EternalBlue is an exploit that was leaked from the NSA in 2016 by an unknown group named the Shadow Brokers. It has been used in a number of major attacks, most notably the WannaCry ransomware, and has led to a good deal of criticism about the way the NSA's security set-up.

Commenting on the NSA's announcement, Chris Morales, head of security analytics at Vectra AI, said: "Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting. I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past.

"It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."

Renaud Deraison, co-founder and chief technology officer of security firm Tenable, commented: "CVE-2020-0601 hits at the very trust we have in today's digital computing environments – trust to authenticate binaries and trust that our ciphered communications are properly protected.

"The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source.

"You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organisations that do not patch their systems quickly.

"The NSA's responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector co-ordination."

CHIEF DATA & ANALYTICS OFFICER BRISBANE 2020

26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments