Microsoft Releases Patch Recommendation for CVE-2020-0601

Today Microsoft released a security update to address CVE-2020-0601, a spoofing vulnerability that leverages the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability affects Windows 10 and Windows Server 2016 and Windows Server 2019 only. While today is the last day for security updates for Windows 7, Windows 7 is NOT affected by this issue.

The vulnerability can enable an attacker to spoof legitimate digital certificates. This in turn can be used either to sign malicious code and make it appear legitimate, or to conduct “man-in-the-middle” (MitM) attacks against encrypted network traffic, disclosing the contents of that traffic to an attacker. For this to happen, a user must choose to run the software.

Microsoft rates the vulnerability “Important” using their system, but the impact is significant enough that organizations should treat it as critical in terms of expediting deployment of security updates.

While one of the biggest concerns is that this can be used to sign malicious code, Proofpoint threat researchers have reviewed this scenario and have identified mitigating factors for customers and other security vendors. Security products that implement behavioral analysis to detect malicious software should still be able to detect the underlying malware, even if it’s signed with a seemingly legitimate certificate.

It’s also important to note that the scope of affected systems, Windows 10 and Window Server 2016 and 2016 only, limits the potential reach of this vulnerability for malicious purposes.

And finally, so far there is no indication from Microsoft or the United States National Security Agency (NSA), who disclosed this vulnerability, that it has been used maliciously to date.

Taken altogether, this means this is a vulnerability that should be patched quickly but it does not reach the level of Heartbleed or WannaCry scenarios from the past.

As always, Proofpoint researchers are monitoring the situation and if we see significant changes in the threat landscape, we will update you. But for now, the recommendation is test and patch quickly.

Subscribe to the Proofpoint Blog