January 2020 Patch Tuesday running commentary, from the skeptic’s corner

We’re in for a hum-dinger of a Patch Tuesday today, with knowledgeable folks anticipating a big, scary new Windows exploit and a ‘Softie Captain America shield patch. We’ll be covering it all right here.

There’s some history to this one. See the details in Computerworld Woody on Windows, and keep watching here for the full blow-by-blow.

UPDATE: Brian Krebs has an inside peek:

NSA says they discovered the flaw on their own and that Microsoft will report that MS has seen no active exploitation of this vulnerability so far… NSA’s dir. of cybersecurity Anne Neuberger says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it “makes trust vulnerable.”

The odds are favoring Kevin Beaumont at this point.

Another UPDATE: Ellen Nakashima at the Washington Post has an article out in the past hour that draws parallels to EternalBlue and WannaCry (which I mention in the Computerworld article):

The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter…“Code-signing is one of the most effective tools we have to keep malicious software off of computers,” said Matthew Green, a cryptographer and computer science professor at Johns Hopkins University. If the flaw is patched quickly, it’s not that dangerous, he added. “If a lot of people don’t patch, it could be a disaster.”

In response, Tavis Ormandy — another infosec luminary with a long history of straight shooting — tweeted this:

I’m reliably informed that the washington post don’t know what they’re talking about, it’s not an authenticode issue, and is in fact a big deal.

It’s going to be an interesting afternoon here at the not-so-OK Corral.

Kevin Beaumont has some sage advice:

Here’s a question – do you use digital signatures as a key security boundary control? I can count on my left little finger the amount of orgs that do. Patch your Citrix, Fortigate, Pulse Secure SSL VPN boxes and your 11 month old SharePoint vuln. And turn off SMB1.

I would also mention patching Equation Editor, but I’ve beaten that dead horse for far too long. CVE-2017-11882 is the 2017-era Achilles Heel for many unpatched punters.

….Aaaaaaaand we’re off!

214 separate patches available on the Microsoft Update Catalog.

Dustin Childs has his usual well-researched overview on the Zero Day Initiative blog:

Microsoft released patches for 49 CVEs covering Microsoft Windows, Internet Explorer (IE), Office and Office Services and Web Apps, ASP.NET, .NET Core, .NET Framework, Modern Apps, and Microsoft Dynamics. Five of these CVEs were submitted through the ZDI program. Of these 49 CVEs, eight are listed as Critical and 41 are listed as Important in severity. According to Microsoft, none of these are publicly known or under active attack at the time of release.

So much for the Chicken Littles in the audience. But the day is yet young. Notably, Will Dorman (mentioned above) continues to warn that it’s a major problem, even though it’s not listed as exploited, and isn’t even listed as Critical.

Martin Brinkmann has his detailed list on ghacks.net.

According to Kevin Beaumont:

The Microsoft advisory is out now.

1) it’s only rated Important

2) it’s a spoofing issue

3) to get RCE [Remote Code Execution] with it you would need auth[orization], and to have code exec[ecuting] already. 

The NSA did a big press tour so before announcement so expect big media play. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Exactly.

The NSA begs to differ (PDF):

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Which sounds a whole lot like NSA tooting its own horn. That said, I think it’s great that NSA is disclosing at least some of the security holes that it discovers.

Unless more evidence turns up, I’m going to file this one away as a potential problem, for somebody, some day.

Now back to our usual crowdsourced Windows patch bug catching.

I don’t see any acknowledgment of — much less a solution to — the longstanding File Explorer search bug in Win10 1909.

Look at all of the other security patches out today — Adobe, SAP, VMWare, Oracle, and Intel. Thx, Catalin Cimpanu.