January 2020 Patch creates Windows Vulnerabilities in Elliptic Curve Cryptography (ECC) certificates and Remote Desktop Protocol (RDP) connections
Advisory Type: IT Security
PDS is providing the following communication to build awareness of a number of vulnerabilities identified in Microsoft Windows operating systems which if not addressed, pose a significant threat to an environment. The Secretary of Homeland Security required DHS to release a statement regarding the latest vulnerabilities related to a security defect with Windows Operating Systems. The Windows patches opened ECC and RDP vulnerabilities and the government is requesting for agencies to patch within 10 Business Days.
On January 14, 2020, Microsoft released a software patch to mitigate significant vulnerabilities in supported Windows operating systems. Among the vulnerabilities patched were weaknesses in how Windows validates Elliptic Curve Cryptography (ECC) certificates1 and how Windows handles connection requests in the Remote Desktop Protocol (RDP) server and client.2
The January 2020 Microsoft Patch Tuesday updates contain two critical patches which require immediate review by IT Operations and Security teams.
CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability
This vulnerability, reported to Microsoft by the US National Security Agency (NSA) involves a flaw in the method used to validate some PKI certificates. Proof-of-concept exploits have been made public, which allow an attacker to make spoofed certificates appear legitimate. The vulnerabilities are present in all Windows 10 and Windows Server 2016/2019 products.
Two of this month’s patched security holes reveal a security hole in the Windows Remote Desktop Gateway products which can let an attacker into the network if the service is exposed to the Internet.
We strongly advise our customers to review the information Microsoft published and conduct patching installs as quickly as your testing and validation processes allow. Please contact your account manager or account director if you would like to arrange assistance with the installation planning of these updates.
To review the January 2020 Security Updates Release Notes, please use this link: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan
Review the details of the Department of Homeland Security announcement: https://cyber.dhs.gov/ed/20-02/
Contact PDS for more details about this security advisory or what action you need to take at: Contact Us or 800-966-6090