Recommendations: On top of personal financial loss, the above-mentioned vulnerabilities will also have potential adverse impact on enterprises such as financial loss, data leakage, damage of trust and confidence and disruption of services. As these high-risk vulnerabilities cover the latest versions of Microsoft Windows operating systems such as Windows 10 and Windows Server 2016/2019 and the Proof of Concept (PoC) exploit code for CVE-2020-06-01 is already available, actual attacks can come at any time! Hence, HKCERT strongly recommends the application of critical patches as soon as possible, especially for systems exposed to the Internet. For further details please refer to the below links:
CryptoAPI Spoof The show stealer for this month, though, is an Important patch for a Windows CryptoAPI spoof vulnerability (CVE-2020-0601). The vulnerability is present in Windows 10, Windows Server 2016 and Windows Server 2019 systems and was brought to Microsoft's attention by the NSA. Security writer Brian Krebs indicated on Monday that Microsoft's patch had been delivered to U.S. military organizations in advance, presumably because it breaks the trust functionality of digitally signed certificates.
January 2020 – Microsoft Patch Tuesday
For that reason and more, many security researchers are putting CVE-2020-0601 at the top of the patching priority list, even though it's just ranked Important by Microsoft. The patch notably will add an entry in Windows event logs if an exploit is tried.
Organizations shouldn't delay in patching the CVE-2020-0601 vulnerability, according to Tim Mackey, a principal security strategist at Synopsys, a provider of semiconductor design solutions, in an e-mailed comment:
There's also a memory corruption vulnerability in the Internet Explorer browser that could be used to execute code via Web pages, which is getting addressed by the Critical patch for CVE-2020-0640, Munshaw noted.
The statement is that all versions of Windows are affected. But the recommendations and patches for CVE-2020-0601 all apply to Windows 10, 2016, and 2019. Patches for Windows 7,8, 2008, and 2012 do not mention addressing CVE-2020-0601. What am I missing?
It turns out that a software patch in that "final" security update caused some Windows 7 users' desktop backgrounds to go black, so Windows 7 will get at least one more update in early 2020 to fix that erroneous patch.
While you're patching Windows, it would be wise to get the latest update for VMware Tools. That fix cleans up CVE-2020-3941, a race condition flaw that would potentially allow users to escalate their privileges within a Windows VM.
The Fall Creators Update ("FCU", 'rs3', i.e. 'Redstone 3', at least in name) is the 'production' branch of Windows 10 Mobile, and this is the very last regular 'Patch Tuesday' fix round-up for it, with the official list for 15254.603 (from .600), the '2020-01B' update (no, I don't know what the B stands for, either!) is mainly composed of minor fixes and security patches, at least in terms of mobile relevance.
All of which are fully supported at this exact second, but from now on there will be no more monthly updates. Which means that - technically - Windows 10 Mobile is 'End Of Life' (EOL) and is unsupported going forwards. Now, obviously - and especially with this shiny new security patch onboard - phones aren't going to suddenly stop working, but the EOL status and also the hammer blow of Whatsapp (in theory) ceasing to work in 2020 (see how to export your chats) do add an extra urgency to the search for alternative phones and platforms, all of which are likely to be better supported.
Customer had questions regarding the CVE identified on January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections.
Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 8.1 are no longer supported by Microsoft and so no longer receive security patches. Windows 8.1 support ended on January 10, 2023; Windows 8 support ended on January 12, 2016; Windows 7 support ended on January 14, 2020; Windows Vista support ended on April 11, 2017; and Windows XP support ended on April 8, 2014. 2ff7e9595c
Comments