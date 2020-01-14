Enlarge / The NSA now says to patch.

Microsoft’s security update for Windows fixes a potentially dangerous bug that could allow an attacker to forge a certificate so that it looks like it comes from a trusted source. The vulnerability reported to Microsoft by the National Security Agency affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 1803.

Microsoft has rated the update as “important” and not critical. In a blog post, Mechele Gruhn, Principal Security Program Manager for the Microsoft Security Response Center, explained that this was due to the fact that “we did not see it during active attacks”.

However, researchers outside of Microsoft – including Google’s Tavis Ormandy – are much more terrified of the vulnerability and urge users to patch quickly before an active exploit is reported.

Will confirms that all X.509 validations are incorrect, not just the code signature. Okay, I’m back on the hype train, that’s pretty bad. https://t.co/6rBV1lu4Yk

– Tavis Ormandy (@taviso), January 14, 2020

The vulnerability exists in the component of the Windows cryptography library that validates X.509 certificates and bypasses the chain of trust that is used to validate the certificate. The Microsoft recommendation for this vulnerability states that the error can be used to forge the software signing certificate for a malicious version of an application so that it appears to be from a trusted developer. However, the risk goes beyond pure code signature. A recommendation from the National Security Agency indicates that the vulnerability could also be used for man-in-the-middle attacks on secure HTTP connections (HTTPS) and for forging signed files and emails.

The NSA advisory is much more helpful than that from Microsoft. https://t.co/6JxeHDPgPP

– Tavis Ormandy (@taviso), January 14, 2020

Network devices that examine TLS traffic can provide protection at the network level against counterfeit certificates, unless they use Windows certificate verification. However, the NSA warned: “The rapid release of the patch is currently the only known remedy and should be the primary focus of all network owners.”

Of course, there are many other things that are even more urgent – like all Citrix and Pulse Secure VPNs that have not yet been patched.

Back to the hundreds of government unpatched SSL VPN boxes that are being actively exploited. Get directly integrated into the network and provide valid login information.

– Kevin Beaumont (@GossiTheDog) January 14, 2020

The bottom line is: Install the patch. Do not hesitate.