Patch Tuesday aftermath: The NSA Crypt32 threat is real, but not yet imminent

Get ready for your local news station’s weather reporter to start lecturing on the importance of installing Windows patches.

Yesterday we were treated to a remarkable Patch Tuesday. “Remarkable” specifically in the sense that the U.S. National Security Agency was moved to put out a press release (PDF):

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.

That’s a first. Until now, the NSA has never publicly acknowledged its contributions to Microsoft’s patching efforts — nor has it picked up the flogging whip in Microsoft’s patching drive. Security guru Brian Krebs attributes it to a change of heart at the NSA:

Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed “Turn a New Leaf,” aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public.

Krebs has an excellent overview of the security hole, loaded with several mind-bending analogies. Get the tech details of the vulnerability in Kenneth White’s Microsoft’s Chain of Fools exposé. If you haven’t yet been inundated with half-fast explanations, rest assured that every news outlet in the world is in the process of trying to digest and regurgitate the complexities of CryptoAPI and Elliptic Curve Cryptography certs.

What does it all mean? If someone can crack the CVE-2020-0601 conundrum, they’ll be able to create programs that appear to come from a trusted source. That’s a scary possibility, but it’s a long way from a third-degree polynomial to working ransomware.

And, no, CVE-2020-0601 can’t be used to break into the Windows Update chain.

Copyright © 2020 IDG Communications, Inc.

Source link