Patch Windows 10 systems now. This is the message coming from leading info-security experts.
A severe vulnerability threatens the integrity of systems running Windows 10 in 32 and 64-bit versions. CVE-2020-061, the vulnerability, allows Elliptic Curve Cryptography(ECC) certificate validation to go around the trust store.
As such, malicious software could present as legitimate software, authenticated and signed by a trusted source. Additionally, browsers that rely on Windows CryptoAPI could be duped by a corrupted digital certificate without raising any red flags.
NSA Speaks on CVE-2020-0601
The news comes as both the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and U.S. National Security Agency (NSA) Cybersecurity Directorate, urge Windows 10 users to update their systems immediately.
According to the NSA, who discovered the issue and reported it to Microsoft, this vulnerability may shake our trust in cryptographic mechanisms.
Neal Ziring, technical director of the NSA Cybersecurity Directorate, says:
“This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the internet operates, and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations.”
The NSA has been on the receiving end of lately for ransomware made possible by a leaked NSA exploit, EternalBlue. While it could have secretly weaponized the exploit, the NSA has come out in the open, perhaps a testament to the severity of the vulnerability.
How Serious is this Vulnerability?
It’s serious. That NSA has come out of the woodwork to warn users is proof enough.
An attacker, for example, could spoof a security certificate to look like a trusted vendor. That would allow them to bypass security protocols in the system, and free rein to do as they wish.
According to Chris Hass, former NSA security analyst and the current director of information security and research at Automox, the vulnerability doesn’t just affect signatures,
“It will also affect conviction rates of AI-based models due to the fact most AI-models use digital signatures to some capacity in weighing whether a file is malicious or not.”
The vulnerability could also be exploited differently, causing the invalidation of trust in HTTPS connections, signed files, emails, signed executable code, among others. NSA further warns that “Remote exploitation tools will likely develop quickly and widely available.” Windows 10 users must, therefore, apply the Patch Tuesday fix immediately.
Patch Windows 10 Now
No known exploits of the vulnerability exist in the wild for now. The NSA warns that this is bound to charge fast. According to CISA, “Because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems.”
The clock is ticking. While there are benefits to sometimes delaying some patches, this isn’t the time. Most info security experts agree, don’t defer this specific Windows Patch Tuesday update.
Apply the Patch immediately.