After two days of forewarning, Microsoft released its January 2020 collection of updates for “Patch Tuesday.” It had been leaked that there was a critical flaw in the crypt32.dll library that could represent a serious security flaw for the entire world.
The crypt32.dll library provides the foundation for cryptographic operations in Windows and is often leveraged by applications to perform key creation, storage, hashing, and verification of certificates. Any vulnerability in this DLL has the potential to affect all cryptographic-dependent applications as well as the operating system. In addition, this core library has been in use since the days of Windows NT.
In the release of patches, Microsoft publicly disclosed CVE-2020-0601 and publicly acknowledges its discovery by the NSA. The vulnerability appears to be significant in that a fraudulent code signing certificate using Elliptical Curve Cryptography (ECC) can fool the verification engine and allow malicious software to be installed and run.
The issue appears to be limited to systems running Windows 10, Server 2016, and Server 2019. This is of particular interest as ECC support has been available in Windows since Server 2008 R2. So the problem must be specific to changes that occurred in Windows 10. Is it possible the problem exists prior to Windows 10? Anything is possible, but given the notification and support of older operating systems, Microsoft surely would have evaluated these older versions to see if they were susceptible.
The recommendation is to get this patch out as soon as possible to targeted systems. While there are no know exploits of this in the wild, history has shown that once reports are made public, the exploitation of those weaknesses wont be far behind. Given the ability to bypass critical security controls, this will likely be a prime target for adversarial actors.
Summary, while not the doomsday predictions that were circulating in the last few days, this exploit is serious and should be patched quickly.