Prepare for the weather reporter at your local news station to start lecturing on the importance of installing Windows patches.
Yesterday we were given a remarkable patch on Tuesday. "Notable" specifically in the sense that the US National Security Agency. UU. He moved to publish a press release (PDF):
The NSA recommends installing all patches on Tuesday of January 2020 patches as soon as possible to effectively mitigate vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
That is first. So far, the NSA has never publicly acknowledged its contributions to Microsoft's patching efforts, nor has it picked up the scourging whip in Microsoft's patching unit. Security guru Brian Krebs attributes it to a change of heart in the NSA:
The sources say that this NSA disclosure is planned to be the first of many as part of a new initiative in the NSA called "Turn a New Leaf," intended to make more agency vulnerability research available to key software providers and ultimately for the public.
Krebs has a excellent summary of the security hole, loaded with several amazing analogies. Get the technical details of the vulnerability in Kenneth White The Microsoft Fools Chain expose. If you have not yet been flooded with medium-fast explanations, you can be sure that all the media in the world are in the process of trying to digest and regurgitate the complexities of CryptoAPI and elliptic curve cryptography certificates.
What does this all mean? If someone can solve the puzzle CVE-2020-0601, they can create programs that seem to come from a reliable source. That is a terrifying possibility, but it is a long way from a third-degree polynomial to a functional ransomware.
And no, CVE-2020-0601 cannot be used to enter the Windows Update chain.
As of Wednesday morning, at least one hacker from list A has created a "Proof of concept" exploitation. Casey Smith (@subTee) has a PoC, but not yet ready for widespread launch. As Kevin Beaumont says, "It is not practical to scale for a variety of reasons."
So, with everyone: the NSA, the "Softies", its weather forecaster, the precocious but smelly nine-year-old boy of his hairdresser, who recommend patching NOW, why wait?
Because there are problems with the Win10 patches this month.
It always takes time for errors to arise. This month is no different. From very early on Wednesday morning, I see many reports of problems installing the patches, the same problems we have had for many years. Anyone can guess if there are darker problems lurking, and it is still too early to know.
For now, I recommend that you keep all Patch Tuesday patches at bay, until we have the opportunity to see what other surprises await. That evaluation can change quickly, so stay alert.
If you are in charge of the Server 2012, 2012 R2, 2016 and / or 2019 systems, there is a much bigger problem that you must face at this time. Two of the security holes patched this month, CVE-2020-0609 Y CVE-2020-0610, reveal a security hole in the Windows Remote Desktop Gateway, RDgateway, that will allow anyone to enter your system if they crawl through port 443. Like Patch Lady Susan Bradley puts:
If you are an IT consultant or administrator with an Essentials 2012 (or later) server, or use the RDgateway role and expose it through port 443 to allow users to access RDweb or its desktops, forget that crypt32.dll error . This is one to worry about.
January patches should be a priority for this active security hole. And of course, if you are using Press Connect Secure VPNor a Citrix Gateway / ADC / NetScaler box You already have it locked (or disconnected), right?
This month we almost had no "quality updates" other than security, that is, bug fixes. With some annoying exceptions (one in Win10 version 1809), none of this month's Windows patches include documented corrections of non-security related errors. In fact, we have seen very few patches not related to security since October.
All of which underlines a continuing problem with the "as a service" method of grouping all patches of the month into a large gob. If we had separate patches of Crypt32 and RDgateway, people could choose to repair large holes while waiting for reports of problems in small ones.
If the wishes were horses, the hackers would ride.
Stay updated on Crypt32 decryption with AskWoody.com.
Copyright © 2020 IDG Communications, Inc.