Microsoft issues patches to critical systems following NSA tipoff

Microsoft has released updates for Microsoft Windows after being tipped off by the US National Security Agency (NSA) that there was a serious flaw in the operating system that is believed to be affecting millions of computers.

Updates were also released for Internet Explorer, Office, Office Services, Web Apps, ASO .NET Core, .NET Core, .NET Core Framework, OneDrive for Android and Dynamics.

Reuters reported that Microsoft and the NSA said there was no evidence that the vulnerabilities had been exploited but urged users to update their systems as soon as possible.

“NSA official Anne Neuberger noted that operators of classified networks had already been prodded to install the update and everyone else should now ‘expedite the implementation of the patch’,” Reuters reported.

According to the news agency, this marks the first time the NSA has publicly claimed credit for advising a company of security vulnerabilities.

In its Security Response Centre, Microsoft said it believes in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities.

“To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available,” it stated.

Sources have reportedly told KrebsOnSecurity that Microsoft has “quietly shipped a patch for the bug to branches of the US military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to 14 January, the first Patch Tuesday of 2020.”

Vulnerabilities

There are a total of 270 issues found on Microsoft’s software across Windows, developer tools, browser and Office.

A spoofing vulnerability (CVE-2020-0601) exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, Microsoft explained.

“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”

Two information disclosure vulnerability exists in the Windows Common Log File System (CLFS) driver when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed but not to execute code or to elevate their user rights directly.

A spoofing vulnerability exists when Office Online does not validate origin in cross-origin communications correctly, which could be exploited by sending a specially crafted request to an affected site. Attacks could then allow the attacker to read unauthorised content that the and use the victim’s identity to take actions on the site on behalf of the victim.

The CVE-2020-0654 Microsoft OneDrive for Android Security Feature Bypass Vulnerability has a security feature bypass vulnerability in Microsoft OneDrive App for Android, which could allow an attacker to bypass the passcode or fingerprint requirements of the App.

Some of the other vulnerabilities being patched include a Remote Desktop Web Access information disclosure vulnerability, three Microsoft Excel remote code execution (CVE-2020-0653, CVE-2020-0651 and CVE-2020-0650) Microsoft Office memory corruption vulnerability, Windows GDI+ information disclosure, two Microsoft Graphics component information disclosure and Win32k information disclosure.