Catch Of The Week: Update Windows 10 Now

By BECKY RUTHERFORD

Los Alamos

This week both the U.S. National Security Agency (NSA) Cybersecurity Directorate and the DHS’s (Department of Homeland Security) Cybersecurity & Infrastructure Security Agency (CISA) released warnings to Windows 10 users to apply the latest software update released from Microsoft immediately. 

You might wonder what could be so horrible that both of these agencies would urge users to update with such urgency… the answer is a vulnerability called CVE-2020-0601, Windows CryptoAPI Spoofing vulnerability.

This vulnerability affects all systems running Windows 10 in 32 or 64-bit versions.

Why is this so terrible? It breaks something called Elliptic Curve Cryptography (ECC) by allowing certificate validation to bypass the trust store. This means that malicious software could disguise itself as legitimate software that has been authenticated by a trusted source.

What this means is that any software out there could spoof legitimate software, essentially telling your computer, “Hi! Microsoft has verified me, and I am good to install on your machine!” when in reality, the software is from “MalwarezRUSBadTimezStorez”. So it destroys any trust that you might have for any files you can download from the internet that are “verified” unless you immediately update your computer to fix the issue. The same issue applies to browsers that rely on Windows CryptoAPI to verify websites. 

The exploit can also be used to undermine PKI (Public Key Infrastructure) trust. PKI is the framework of encryption and cybersecurity, and how communications between the server (a website) and your computer (the client) are protected.

The vulnerability is rated as “important,” and companies and users are urged to treat this as a top priority and remediate quickly.

According to a report from Ars Technica, less than a day after disclosure of this vulnerability, a security researcher was already able to demonstrate how attackers can exploit it to “cryptographically impersonate any website or server on the internet”. 

Researcher Saleem Rashid tweeted images showing the classic “Never Gonna Give You Up” video by Rick Astley playing on Github.com and NSA.gov. Rashid’s exploit cause both Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. This attack is a proof of concept and, in reality, would likely be difficult for a real-world adversary to achieve, but it is still fairly terrifying. 

Do not defer this Patch Tuesday update; install it on your Windows 10 machines ASAP. If your machine is set up to update automatically, it should have already updated for you, but you should verify that you are up to date. If you have automatic updates turned off, then make sure that you do it manually.

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.

Search
LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems

Facebook Rss Twitter Youtube

Subscribe to your choice of breaking and/or daily news headlines.

Copyright © 2012-2024 The Los Alamos Daily Post is the Official Newspaper of Record in Los Alamos County. This Site and all information contained here including, but not limited to news stories, photographs, videos, charts, graphs and graphics is the property of the Los Alamos Daily Post, unless otherwise noted. Permission to reprint in whole or in part is hereby granted, provided that the Los Alamos Daily Post and author/photographer are properly cited. Opinions expressed by readers, columnists and other contributors do not necessarily reflect the views of the Los Alamos Daily Post. The Los Alamos Daily Post newspaper was founded Feb. 7, 2012 by Owner/Publisher Carol A. Clark.