NSA Windows 10 security disclosure raises questions

In an unprecedented move, the NSA has got out in front of a critical cryptographic flaw in Windows 10, but in doing so has raised multiple questions

The cyber security industry is buzzing with questions after Microsoft moved to fix a critical cryptographic flaw that renders Windows 10 and Windows Server 2016 extremely vulnerable to cyber criminals, after a tip-off from the US National Security Agency (NSA).

Anne Neuberger, director of cyber security at the NSA, said in a 14 January 2020 press conference, during which the organisation made the vulnerability public for the first time, that the issue made “trust vulnerable”.

The vulnerability, CVE-2020-0601, centres on how the crypt32.dll element of Windows CryptoAPI validates a type of certificate called Elliptic Curve Cryptography, or ECC certificate.

By exploiting it, a hacker could use a spoofed code-signing certificate to present a malicious executable file as a trusted, legitimate one, so the victim would have absolutely no way of knowing that it was dangerous because its digital signature would be completely trusted.

Successful exploits could also let hackers carry out so-called man-in-the-middle attacks, and decrypt confidential information on user connections to the affected software.

Amit Yoran, chairman and CEO at Tenable and a founding director of the US’s Computer Emergency Readiness Team (Cert), said it was rare, if not unprecedented, for a government agency to disclose its discovery of a critical vulnerability with a supplier.

“It underscores the criticality of the vulnerability and we urge all organisations to prioritise patching their systems quickly,” he said. “These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about.

“How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organisations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”

Chris Morales, head of security analytics at Vectra, said: “I would be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal, as they have in the past.

“It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations. It could be because there was a concern that others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it could just be that the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”

Neuberger said that the NSA’s goal in highlighting the vulnerability was to rapidly alert end-users to the importance of applying Windows patches, noting that far too few organisations do this as a matter of course.

In a statement, the NSA said: “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. The NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Back story to an ‘extraordinarily’ serious vulnerability

The first indication that January 2020’s Patch Tuesday was going to be something out of the ordinary came nearly 24 hours ahead of time, when security researcher Will Dormann, who has written a number of vulnerability reports for Cert, tweeted that people should “pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner”.

This was picked up on by independent security researcher Brian Krebs, who worked his own sources to reveal that Microsoft planned to release a fix for an “extraordinarily serious vulnerability in a core cryptographic component present in all versions of Windows”. This turned out to be CVE-2020-0601.

Krebs said his sources had told him Microsoft had, in fact, already shipped a patch to branches of the US military and to other key high-value customers and targets, including those with responsibility for managing global internet infrastructure.

He said those organisations that had received the patch ahead of time had been asked to sign non-disclosure agreements preventing them from publicly disclosing the flaw ahead of time.

Coming on the day that Microsoft formally discontinued support for Windows 7, Krebs’ blog was swiftly picked up across the cyber security sector, prompting a wave of media stories beforeo the NSA’s disclosure in a press call on 14 January.

The NSA has faced criticism in the past for its mishandling of the EternalBlue exploit, which it developed, then lost control of, resulting in the infamous WannaCry outbreaks in May 2017, which continue to echo across the threat landscape.

Todd Schell, senior product manager at Ivanti, said the vulnerability affected a very important procedural chain that many security technologies rely on heavily to establish and validate trust. “If an attacker has a means to trick a system into believing that a file is properly signed, they could bypass many security measures,” he said. “The vulnerability is only rated as important, but there have been many examples of CVEs [common vulnerabilities and exposures] that were only rated as important, being exploited in the wild.

“Due to the nature of this vulnerability we would urge companies to treat this as a top priority this month and remediate quickly.”

Tim Mackey, principal security strategist at the Synopsys Cyber Security Research Centre (CyRC), added: “There are times when it is reasonable to defer a patch, but deferring the patch for CVE-2020-0601 isn’t one of them. The underlying component, crypt32.dll, is used for all digital signatures on Windows computers – servers and desktops. This is the component that helps verify SSL connections, whether software packages are legitimate, and whether a digital certificate submitted for email authentication is valid, among many other security items.”

Besides CVE-2020-0601, the January 2020 Patch Tuesday update fixed a total of 49 bugs affecting Microsoft Windows, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, ASP.NET Core, .NET Core, .NET Framework, OneDrive for Android, and Microsoft Dynamics.

The latest round of updates also saw the final public patch for Windows 7, Server 2008 and Server 2008 R2. Users who, against all advice, want to continue to run Windows 7 should already be consulting with Microsoft.

Other suppliers releasing their Patch Tuesday updates on 14 January included Oracle, which fixed a total of 334 bugs; VMware, which shut down a vulnerability in VMware Tools that could have allowed hackers to take control of an affected system; Adobe, which addressed vulnerabilities in Illustrator CC and Experience Manager; and Intel, which fixed multiple vulnerabilities, some of which could have allowed hackers to gain privilege escalation on affected systems.

Read more on Hackers and cybercrime prevention