Carnegie Mellon University School of Computer Science
January 16, 2020

Critical Windows Vulnerability - Patch Now

Windows 10 and others affected.

This event has expired. Its previous status was Ongoing.

Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)

PLATFORMS AFFECTED:
Update/Patch Available: Windows 10, Windows Server (Currently Supported Editions)
Update/Patch Not Available: Windows Vista, Windows 7

CRITICAL IMPACT:
Spoofed code-signing certificate to sign a malicious executable, man-in-the-middle attacks and decrypt confidential information

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

WHAT YOU HAVE TO DO:

Supported SCS Windows Computers:

SCS Computing Facilities will make a patch available for update January 16, 2020 at 2:00pm EST. At that time you can update your system manually. Once patched, reboot your computer if prompted to ensure the security updates have been applied. An automatic install of this patch will take place on Tuesday, January 21, 2020 at 5:00 pm.

If you have an SCS-supported computer still running an unsupported version of Windows, please take action to upgrade your computer to a supported Windows 10 build/version.

Unsupported Windows Computers:

If you run a computer that is not supported by SCS and upgrading is not feasible, manually download and apply these special patches from the Microsoft Update Catalog (Windows Update does NOT work on Out-of-Support platforms). Please note that Windows 7 has now been dropped from support by Microsoft, so a patch may not be available. See the Microsoft security bulletin on the Common Vulnerabilities and Exposure page.