A dangerous Windows 10 vulnerability tracked in CVE-2020-0601 has been reported by the American National Security Agency which are rated as critical.
They are being tracked in the CVE-2020-0601 advisory and allows malicious code to be masked as legitimate apps — this is done by abusing the system in a prescribed way.
CVE-2020-0601: a Dangerous Windows 10 Vulnerability Allowing Malware Data To Be Run as Legitimate
The NSA has posted a public notice about an issue in Windows 10 that is currently tracked in the CVE-2020-0601 advisory affecting the operating system. The agency is reporting that this is a particularly dangerous flaw as it allows malware code to abuse the system and mask itself as a legitimate process. The description as posted online is the following:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.
The operating systems that are affected include the latest desktop release (Windows 10), as well as the Server versions 2016 and 2019 and separate applications that rely on the system for trust functionality. The flaw has been identified in the cryptographic processes that are used in file and network operations.
The Windows 10 Vulnerability CVE-2020-0601 Is Rated Critical
The problem was found within the certification validation process — this is the process which verifies information and is responsible for the encryption and decryption of data. It appears that the malware code has the ability to overcome the security mechanisms and bypass the “trust” function. The exploitation of this vulnerability allows the code to execute dangerous code which is regarded as legitimate. There are several areas in which these type of flaws can be used:
- Encrypted Connections — The flaw can affect HTTPS-secured network connections that are run from the local host or via remote connections which are done to various sites, networks and services.
- Signed Files and Email Messages — The flaw allows the criminals to overcome the security of signed data and emails.
- User-Mode Signed Code — The malware code can execute local data that can bypass the security system.
The flaw can be used in two main types of attacks — local malware code that is run via its own scripts or by the user (mostly done via social engineering tactics) or remote intrusion attempts that use automated hacking toolkits.
Microsoft has released a fix in their January 2020 Patch Bulletin which should be applied as soon as possible to mitigate the flaw. The patch is rated as extremely important and this is why the company has shipped it to enterprise clients, military bases and other locations where the operating system is deployed. Patch your system if you haven’t already to protect yourself.