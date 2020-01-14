How Microsoft turned into a cloud company

Microsoft today released the January 2020 security updates. This month’s updates contain solutions for 49 vulnerabilities, eight of which are assessed with a “critical” severity rate.

By far the most striking patched bug of today is a vulnerability in CryptoAPI (Crypt32.dll), the standard Windows cryptographic library, a bug discovered by the NSA and reported to Microsoft.

The bug (CVE-2020-0601) is considered as bad as it is. It can allow a threat actor to falsify file signatures and perform man-in-the-middle attacks on encrypted HTTPS communications. View our earlier reporting about this bug for more information here.

But in addition to this bug, there are also two other major issues that need to be patched. These two bugs both affect Windows Server 2016 and Windows Server 2012.

According to Microsoft, the Windows Remote Desktop Gateway (RD Gateway) component running on these systems is vulnerable to a remote code execution error that could allow attackers to take over vulnerable Windows servers by initiating an RDP connection and making specially crafted requests to send.

These two vulnerabilities – tracked as CVE-2020-0609 and CVE-2020-0610 – occur before the RDP authorization process and do not require any user interaction from the server owner.

There are two new pre-authorization RCE with CVSS score 9.8 in RD Gateway, often used to protect RDP servers (adds MFA etc.).

RD Gateway is an (excellent, VAT) Enterprise solution for protecting those RDP boxes. You probably want to patch it. https://t.co/V13hp2tiYQ https://t.co/SSfF1l6nBu

– Kevin Beaumont (@GossiTheDog) January 14, 2020

All in all, the January patch Tuesday from Microsoft is smaller than many of the patch Tuesdays from Microsoft 2019, but it is certainly no less important because the three bugs are presented above.

Users are advised to free up time to download and install these security solutions as quickly as possible.

In addition to Windows, other products that have received fixes this month include Internet Explorer, ASP.NET, the .NET Framework, Microsoft Dynamics, OneDrive for Android, Microsoft Office and Microsoft Office Services and Web Apps.

