Patch Tuesday aftermath: The NSA Crypt32 threat is real, but not yet imminent

Credit to Author: Woody Leonhard| Date: Wed, 15 Jan 2020 07:26:00 -0800

Get ready for your local news station’s weather reporter to start lecturing on the importance of installing Windows patches.

Yesterday we were treated to a remarkable Patch Tuesday. “Remarkable” specifically in the sense that the U.S. National Security Agency was moved to put out a press release (PDF):

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.

That’s a first. Until now, the NSA has never publicly acknowledged its contributions to Microsoft’s patching efforts — nor has it picked up the flogging whip in Microsoft’s patching drive. Security guru Brian Krebs attributes it to a change of heart at the NSA:

Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed “Turn a New Leaf,” aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public.

Krebs has an excellent overview of the security hole, loaded with several mind-bending analogies. Get the tech details of the vulnerability in Kenneth White’s Microsoft’s Chain of Fools exposé. If you haven’t yet been inundated with half-fast explanations, rest assured that every news outlet in the world is in the process of trying to digest and regurgitate the complexities of CryptoAPI and Elliptic Curve Cryptography certs.

What does it all mean? If someone can crack the CVE-2020-0601 conundrum, they’ll be able to create programs that appear to come from a trusted source. That’s a scary possibility, but it’s a long way from a third-degree polynomial to working ransomware.

And, no, CVE-2020-0601 can’t be used to break into the Windows Update chain.

As of early Wednesday morning, at least one A-list hacker has put together a working “Proof of Concept” exploit. Casey Smith (@subTee) has a PoC, but it isn’t yet ready for widespread release. As Kevin Beaumont says, “It’s not practical at scale for a variety of reasons.”

So with everybody — the NSA, the ‘Softies, your weather forecaster, your hairdresser’s boyfriend’s precocious but smelly nine-year-old — recommending that you patch NOW, why wait?

Because there are problems with this month’s Win10 patches.

It always takes time for bugs to surface. This month’s no different. As of very early Wednesday morning, I’m seeing plenty of problem reports when installing the patches — the same problems we’ve had for many years. Whether any darker problems lie in lurk is anybody’s guess, and it’s still too early to tell.

For now, I’m recommending that you keep all of the Patch Tuesday patches at bay, until we’ve had a chance to see what other surprises await. That assessment may change quickly, so stay alert.

If you’re in charge of Server 2012, 2012 R2, 2016 and/or 2019 systems, there’s a much larger problem you should confront right now. Two of this month’s patched security holes, CVE-2020-0609 and CVE-2020-0610, reveal a security hole in the Windows Remote Desktop Gateway, RDgateway, that will let anybody into your system if they crawl in through port 443. As Patch Lady Susan Bradley puts it:

If you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug. This one is one to worry about.

The January patches should be a top priority for this, active security hole. And of course, if you’re using Pulse Connect Secure VPN, or a Citrix Gateway/ADC/NetScaler box you have it locked down (or unplugged) by now, right?

This month we had almost no non-security “quality updates” — which is to say, bug fixes. With a few niggling exceptions (one in Win10 version 1809), none of the Windows patches this month include documented non-security bug fixes. In fact, we’ve seen very few non-security patches since October. 

All of which underlines an ongoing problem with the “as a Service” method of bundling all the month’s patches into one big gob. If we had separate Crypt32 and RDgateway patches, people could choose to fix the big holes while waiting for problem reports on the little ones. 

If wishes were horses then hackers would ride.

Stay up-to-the-minute on Crypt32 cracking with AskWoody.com.

http://www.computerworld.com/category/security/index.rss