As part of the first Patch Tuesday of 2020, Microsoft has released patches for CVE-2020-0601. This is a critical flaw in the cryptographic library for Windows that impacts Windows 10 and Windows Server 2016/2019. The National Security Agency, who discovered and reported the flaw to Microsoft, strongly urges users to prioritise patching vulnerable systems.
Renaud Deraison, Co- founder and CTO at Tenable about the MSFT flaw said, “CVE-2020-0601 hits at the very trust we have in today’s digital computing environments — trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker, among other things, to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. This is a serious vulnerability and one that we fully expect to see exploited in the wild in the coming weeks and months. We will see continued attacks over the course of the year among organisations that do not patch their systems quickly.
The NSA’s responsible disclosure of the vulnerability to Microsoft is a step in the right direction. We look forward to continued public-private sector coordination.”
