Windows 10/Server extreme security flaw

An extremely bad security flaw in Microsoft Windows has just been reported and patched. Here’s more information from the NSA:

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

o HTTPS connections
o Signed files and emails
o Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Information from the Department of Homeland Security:

Emergency Directive 20-02
Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday

Information from US-CERT:

Alert (AA20-014A)
Critical Vulnerabilities in Microsoft Windows Operating Systems

Brian Krebs had sounded early alerts:

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.

Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here.

Thunderbird: important security patch (68.4.1)

The new Thunderbird 68.4.1 release brings an important security fix with targeted attacks in the wild abusing this flaw”, but “these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”

Thunderbird is Mozilla Corp.’s open-source, cross-platform email, chat, calendar, contacts and newsfeed (RSS) program, which features reliable email processing, smart folders, phishing protection and spam tools, special support for large-file transfers, quick filtering, Web searching, and plug-ins/add-ons for customization. See Thunderbird help topics for more information.

Thunderbird 68.4.1 is a free download for OS X 10.9 and up, as well as Linux and Windows. (Pre-release test versions are also available.)

 

Firefox: critical security patch (72.0.1)

The latest Firefox release, 72.0.1, brings a critical security patch with “targeted attacks in the wild abusing this flaw.”

Firefox is the free, cross-platform web browser from Mozilla, promising better privacy than Google’s Chrome and offering an appealing, open-source alternative to Apple’s Safari.

Version 72.0.0, the previous version released just a day earlier, also brought security fixes, plus additional privacy and security protections and feature updates:

  • Firefox’s Enhanced Tracking Protection marks a major new milestone in our battle against cross-site tracking: we now block fingerprinting scripts by default for all users, taking a new bold step in the fight for our users’ privacy.
  • Firefox replaces annoying notification request pop-ups with a more delightful experience, by default for all users. The pop-ups no longer interrupt your browsing, in its place, a speech bubble will appear in the address bar when you interact with the site.
  • Picture-in-picture video is now also available in Firefox for Mac and Linux: Select the blue icon from the right edge of a video to pop open a floating window so you can keep watching while working in other tabs or apps.

Firefox 72.0.1 is a free download for OS X 10.9 and up, plus Linux, and Windows.

Firefox ESR 68.4.1 (see security notes and downloads) adds the critical security fix to the Extended Support Release family for OS X 10.9 or later, Linux, or Windows. A Firefox FTP server includes all the various versions for downloading.

Firefox Quantum Developer Edition is an alternate version for desktop systems that incorporates tools such as editors, debuggers and responsive design views.

Firefox Quantum for Enterprise is a version that lets people set up policies (e.g. proxy, restrict features) with Group Policy on Windows and a JSON file on Mac and Linux.

Firefox for iOS 20.2 is a free mobile version for iOS 11 and up, with automatic search suggestions, a private browsing mode, tracking protection and Siri Shortcut support for iOS 12.