Microsoft fixes Windows crypto bug reported by the NSA

Fixes were released today part of the Microsoft's January 2020 Patch Tuesday.

Microsoft: NSA-reported crypto bug is as bad as it gets

Microsoft has released a security update today to fix "a broad cryptographic vulnerability" impacting the Windows operating system.

The bug was discovered and reported by the US National Security Agency (NSA), NSA Director of Cybersecurity Anne Neuberger said in a press call today.

The CVE-2020-0601 bug

The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.

According to a security advisory published today, "a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates."

Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."

But besides faking file signatures, the bug could also be used to fake digital certificates used for encrypted communications.

"A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft also said.

According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

Microsoft and the NSA said they have not seen any active attacks exploiting this bug prior to today's patch.

NSA's first credit

The bug is considered as bad as it gets. Neuberger said the agency took an unprecedented step by reporting the bug, instead of hoarding the vulnerability and using it for its offensive tools and operations.

The CVE-2020-0601 vulnerability marks the first time when Microsoft credited the NSA for reporting a bug. Other cyber-security agencies have previously reported major vulnerabilities to Microsoft. For example, the UK National Cyber Security Centre reported the now infamous BlueKeep bug to Microsoft back in May 2019.

Neuberger said the NSA reporting this bug is a change in the agency's general approach to cyber-security, and that other bug reports will follow.

Besides reporting the bug to Microsoft, the agency had also sent an advance notice to critical infrastructure operators prior to today's official patches, letting them know that a major fix was coming.

The agency has released its own security advisory, with mitigation information and how to detect exploitation, later today, also urging IT staff to expedite the installation of today's Patch Tuesday security updates.

The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (DHS CISA) will also release today an emergency directive to alert the US private sector and government entities about the need to install the latest Windows OS fixes.

"Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all "critical patches" but is doubly true at this time," Yonatan Striem-Amit, CTO and Cofounder of Cybereason told ZDNet earlier today.