Security Market Segment LS
Wednesday, 15 January 2020 11:13

NSA issues note about Windows bug, company rates it second in severity Featured

NSA issues note about Windows bug, company rates it second in severity Pixabay

Microsoft has released a patch for a vulnerability in crypt32.dll, a library used for authentication, a flaw it rates important, the second rank on its severity rating list, but which the NSA has seen fit to issue an advisory about, something the agency never does.

Vulnerabilities that are considered dangerous get the rating of Critical from Microsoft.

In a statement issued on Tuesday, the NSA's Neal Ziring, technical director of the agency's Cyber Security Directorate, said CVE-2020-0601 was a serious bug because it could be exploited to undermine public key infrastructure trust.

"The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, Websites, software companies, service providers, or others," Ziring said.

"Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them."

British security researcher Kevin Beaumont described the bug in this manner: "It’s only rated Important; it’s a spoofing issue; to get RCE with it you would need auth, and to have code exec already.

"The NSA did a big press tour... before announcement so expect big media play."

He was referring to a leak to former Washington Post employee Brian Krebs who writes a blog about security issues. Krebs had a story up on Tuesday AEST in which he said the bug would affect all versions of Windows, something which turned out to be incorrect. The flaw only affects Windows 10, Windows Server 2019 and Windows Server 2016.

Another security researcher, who goes by the moniker Pwn All The Things, appeared to agree with Beaumont's assessment, posting this: "The NSA advisory explicitly says it's a bug in ECC verification and says to look for attackers using truncated curves rather than the named ones, so the RSA signatures on the WU CAB files will be fine."

The NSA's post led to some speculation that the agency was publicising the fact that it had found such a bug and not kept it quiet but rather disclosed it to Microsoft as a PR stunt.

Freelance journalist Kim Zetter raised the question thus: "NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer. Is this whole thing just a public relations move for NSA to earn points after EternalBlue debacle?"

EternalBlue is an exploit that was leaked from the NSA in 2016 by an unknown group named the Shadow Brokers. It has been used in a number of major attacks, most notably the WannaCry ransomware, and has led to a good deal of criticism about the way the NSA's security set-up.

Commenting on the NSA's announcement, Chris Morales, head of security analytics at Vectra AI, said: "Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting. I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past.

"It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."

Renaud Deraison, co-founder and chief technology officer of security firm Tenable, commented: "CVE-2020-0601 hits at the very trust we have in today's digital computing environments – trust to authenticate binaries and trust that our ciphered communications are properly protected.

"The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source.

"You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organisations that do not patch their systems quickly.

"The NSA's responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector co-ordination."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments