720-891-1663
Return to the list of client alerts
Under President Obama, the government created this process to weigh the benefit of disclosing vulnerabilities that the NSA discovered vs. keeping them secret to be used as an offensive weapon. This process is called the vulnerabilities Equities process. Many people outside the government think the process is a bit of a “thumb on the scale” deal where the NSA really doesn’t disclose a lot of vulnerabilities. In general, the government doesn’t balance offensive vs. defensive cybersecurity very well because the NSA and Cyber Command are headed by the same guy (General Nakasone). The government has been talking about separating the two, but they keep delaying that. Maybe it will happen this year.
This week the NSA announced a critical vulnerability in Windows (see the crypto API alert below). If you are a glass-half-full kind of person you would say, see, the NSA is really trying to protect us. If you are a glass-half-empty kind of person, you would say that they are blowing smoke up, well, you know.
An alternative explanation for the NSA announcement is that they have intelligence that the bad guys (pick one) have figured out this bug and are working to use it.
No matter which side of that fence you are one, if you are a Windows shop you need to install these fixes.
The first bug is the crypto API in all versions of Windows 10 and its server version:
CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
The other bug involves yet another bug in remote desktop affecting Windows 7, Server 2012 and newer:
Windows RD Gateway and Windows Remote Desktop Client vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop Client and RD Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.
Given the amount of media attention to this in the last few days, I am speculating that the feds know something that they are not telling and that news is not positive. Read more info from the CERT alert or the DHS Alert.
Federal executive branch agencies have 10 business days to install these patches. You should too.