Microsoft Patch Tuesday: Latest News & Expert Advice

The 2nd Tuesday of each month is Microsoft’s Patch Tuesday and this month saw forty-nine updates from Microsoft. Among these updates are several of critical importance that need to be addressed quickly. Namely, CVE-2020-0601, CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611.

Windows Remote Desktop Software Vulnerabilities

Three of the critical updates are to address vulnerabilities in Windows Remote Desktop Software – one for clients, and two that affect Windows Remote Gateway Server, are of particular concern to any company using remote desktop.

The Remote Desktop Gateway Server vulnerabilities (CVE-2020-0609 and CVE-2020-0610) allow any attacker to remotely execute code, without the need for any authentication. An increasing number of organisations use this technology as an internet-facing service, allowing users remote access to company systems. For these organisations, the vulnerabilities are of significant concern, prompting an immediate response.

While at the time of writing there is no active exploitation of these vulnerabilities, this will become an attack vector used across the internet very quickly and should be patched ASAP.

Windows Cryptographic Certificate Vulnerability

The most publicly announced vulnerability is CVE-2020-0601. Whilst only marked as important by Microsoft, the vulnerability has gained significant exposure due to the fact the National Security Agency in the United States discovered the issue and disclosed it to Microsoft. Upon the patch release, the NSA has now created their own press release detailing the issue and the potential problems it brings.

The vulnerability is a flaw in the way Windows validates certain types of certificates. Specifically, ones using Elliptic Curve Cryptography.

What does this mean? An attacker can present a malicious file (such as an executable) with a falsified certificate which Windows will believe is genuine, when it is not.
Since these types of certificates are used to ensure software or websites can be trusted and that communications are unreadable except by the authorised parties, this is of significant concern. This would mean the Windows operating system can now be tricked into installing malicious software and that the file is genuine and safe to execute and facilitate in man-in-the-middle attackers to decrypt communications.

Attackers will use this in phishing campaigns, spreading malware and ransomware, and stealing secrets. This is a significant threat that can only be fully addressed by installing the patch provided by Microsoft.

Again, at time of writing, there are no reports of malicious use of this vulnerability. However, several researchers have already been able to produce code to use the flaw to fool Windows into trusting websites or applications that it should not. All done in less than 24 hours, this will be weaponised already by attackers.

Advice:

• Patch – but patch properly – as quickly as possible. Test this month’s patches on your systems and roll out the updates in a controlled manner. Any organisation running a Windows Remote Desktop Gateway connected to the internet should patch this ASAP.
• Communicate –ensure your organisation is aware that while there is a threat, it is being dealt with appropriately. Reminders about the dangers of phishing emails, of installing or running untested / approved software would be advised at this time.

For further information on the support our Security Operations Centre & Consulting teams can provide you and your organisation, contact the Quorum Cyber team today.

Find more security guidance information for these vulnerabilities, on the Microsoft Portal:

CVE-2020-0601 –Windows CryptoAPI Spoofing Vulnerability (Crypt32.dll)
CVE-2020-0609 –Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
CVE-2020-0610 -Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability
CVE-2020-0611 -Remote Desktop Client Remote Code Execution Vulnerability