January Patch Tuesday 2020
Microsoft released updates for Windows, Internet Explorer, Office, .Net, and a variety of developer tools resolving a total of 49 distinct common vulnerabilities and exposures (CVEs). Among these is CVE-2020-0601, which is the Microsoft Crypto vulnerability that has been making headlines even before the update was available. No exploited or publicly disclosed vulnerabilities were resolved, which is good. Limited releases came out from third party vendors. It might be a fairly calm start to 2020 aside from the Crypto vulnerability. The most notable news is still the final public patch release for Windows 7, Server 2008 and Server 2008 R2.
Opinions differ widely between analyst, CERT, and other sources leading up to the release of updates and the actual CVE-2020-0601. A second vulnerability regarding cryptographic services may be adding to the difference in expectations around how severe the situation is; CVE-2020-0620 is rated as a lower exploitability index and CVSS scoring was also slightly lower. So lets break these two down.
CVE-2020-0601 affects Windows 10 and related Server branches only. This vulnerability allows an attacker to spoof a code-signing certificate on an application or file. Code-signing certificates are a very important chain of trust that many security technologies will rely on to establish and validate that trust. If an attacker has a means to trick a system into believing a file is properly signed, they could bypass many security measures. The vulnerability is only rated as important, but there have been many examples of CVEs that were only rated as important being exploited in the wild. Due to the nature of this vulnerability we would urge companies to treat this as a top priority this month and remediate quickly.
CVE-2020-0620 affects Windows 7, Server 2008 and later editions of Windows i.e. pretty much everything currently supported. In this case an attacker can abuse how Microsoft Cryptographic Services is handling files. The attacker must have execute rights on the victim’s system, but by exploiting this vulnerability they can elevate their privilege level by abusing this improper handling of files and bypass a trust-model used by many security technologies. Gaining execute rights on a system is a pretty low bar for most threat actors. Again, our guidance is to treat this as a priority 1 and address it in a timely manner.
Windows 7, Server 2008, and Server 2008 R2 have received their final public patch release. If you are continuing to run these systems in your environment, you should make sure you are prepared for February and beyond.
If you are engaging with Microsoft to continue support:
- Do you have your ESU agreement in place?
- Have you configured all systems that are continuing support with your ESU key?
- Have you applied the latest Service Stack Update to these systems? (Microsoft just released an updated SSU for these platforms with the January release. It could be a prerequisite for continued support.)
- Have you applied the SHA2 Cert update?
If you are not purchasing an ESU you will want to consider mitigation options:
- Get systems up to January 2020 patch levels.
- Virtualize workloads and reduce access to these systems to essential personnel only.
- Remove direct internet access from these systems.
- Segregate these systems into a network segment, separate from other systems.
- Layer additional security controls on these systems. Lock down application control policies to prevent running anything other than the critical applications that rely on the legacy OS, etc.