CRITICAL Windows update today


Lorenzo von Matterhorn
Jan 31, 2009
Reaction score
Supposedly the first bug EVER reported by the NSA, an incredibly serious one that's been around for a long time. [Cynic ON] They must have new exploit methods and no longer need it OR the exploit has been compromised by having been independently discovered by bad guys or somehow transferred to them via a security leak. And, cough, cough, are we sure its origin was actually an unintentional bug? SURE would have been incredibly useful. [Cynic OFF]

13 Jan 20
Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).


Bug confirmed and Microsoft patch issued:

CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
Security Vulnerability
Published: 01/14/2020 | Last Updated : 01/14/2020
MITRE CVE-2020-0601

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.


Patch Critical Cryptographic Vulnerability in Microsoft Windows
Clients and Servers


NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

o HTTPS connections
o Signed files and emails
o Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.


Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains
Vulnerability Note VU#849224
Original Release Date: 2020-01-14


Lorenzo von Matterhorn
Jan 31, 2009
Reaction score
Once again, reading between the lines.

Just as we have the sudden unidentified drone hysteria at the same instant in time that the FAA proposes a draconian, incredibly unpopular rule that all RC aircraft down to 250 grams be equipped with transponders, just as we had the elephant walk of 52 F-35s at Hill AFB, UT on Jan. 6 after President Trump tweeted there were 52 targets in Iran on the target list coupled with previous widespread reports implying that Iran's S-300 SAM system was useless against F-35s, the US having successfully discouraged the Russians from selling Iran the S-400 system which just now is being offered to them again by the Russians, we have this very interesting timing for the NSA to suddenly reveal such an incredibly powerful "accidental bug" exploit which meant that Windows had been completely wide open for exploitation previously.

14 JAN 20
Patch Tuesday, January 2020 Edition

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency.

Was the "suddenly, just now discovered" bug used here:

OCTOBER 15, 2019
Exclusive: U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials

exposing it and making it likely to be used here:

Threat of Cyberattack by Iran Still Critical, Experts Say
Despite cooling tensions, nation-state-level attacks could occur, according to cybersecurity specialists
Jan. 9, 2020

and now, weighing the value of their exploit versus the huge potential damage if enemies used it, the NSA decided to reveal one of their tools?

Could be...

Bill S

Well-Known Member
Aug 6, 2019
Reaction score
Well I went ahead and tried to update my laptop from Win 7 to 10, and guess what? It couldn't update, due to the dreaded "could not update system reserved partition" error, which looks to be a real difficult one to solve. :( Thank you so very much Microsoft.


Cyborg Rocketeer
Staff member
Global Mod
Jan 5, 2009
Reaction score
Alliance, Ohio
Well, I downloaded what will probably be my last Windows 7 update yesterday and my computer spent a sizable chunk of my morning trying to restart. Oh well, I got a few things cleaned off of my messy desk while I waited.