If not.....
Posted on 01/14/2020 12:01:09 PM PST by MeganC
Summary
New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus.
Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.
Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.
(Excerpt) Read more at us-cert.gov ...
This is crazy important and is VERY important news!!!
Thanks MeganC.
I guess it’s no coincidence that the revised Chrome Edge (Chredge) will be released tomorrow.
My experience is that I’m at least as vulnerable from screw-ups and malware in software updates. At least I know when I like the way a version works before the updaters get their hands on it.
“the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date”
Keeping your OS and browser on auto update is still the most basic, fundamental security step an individual can take.
If it breaks something on you client, change your client and move your data to a machine that can auto update without breaking. There are millions of them updating every week without failure. Why not yours?
Or, one day you’ll be sorry.
I’ve seen entire enterprises compromised and shut down because the IT didn’t want to be bothered with testing a patched OS release against fat clients, and let them sit “stable” for over a year.
Thank you. It is just incredible that folks just keep abusing themselves with this... No longer applicable here.
Only been out in the wild 4+ years...
Holy smokes...in before someone tells me to get Linux!!
If not.....
(Linux - The Ultimate Windows Service Pack) ~ ShadowAce.
Get linux... :)
““the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date”
Keeping your OS and browser on auto update is still the most basic, fundamental security step an individual can take.
If it breaks something on you client, change your client and move your data to a machine that can auto update without breaking. There are millions of them updating every week without failure. Why not yours?
Or, one day you’ll be sorry.
I’ve seen entire enterprises compromised and shut down because the IT didn’t want to be bothered with testing a patched OS release against fat clients, and let them sit “stable” for over a year.”
Or just load something that rarely ever needs any updates in the first place...
As the whole world aside from personal computers including Microsoft embraces the Linux kernel why is there so much opposition to this even from IT guys? Job security? If it doesn’t break then they will all be out of work?
I just created a system image in case something happens. It took 5 DVDs (including the boot dvd). I have a 128G usb disk (yes, formatted NTFS) but MS refuses to let me write the image to that device because usb drives used to have less space 20 years ago.
Linux is beginning to own entire sections of the datacenter.
But for most end users it’s not practical, as it requires them to learn and know something about their appliance. And it almost always requires new applications...and that learning curve.
At least 99% of all consumers will stick with the OS interface and applications they know. Windows, Apple or Linux/Unix.
Trying to change human nature is a fool’s errand.
That said, a properly patched and current Windows machine with commercial Firewall will keep you safe unless you are specifically targeted by a high-end hacker.
[[Critical Vulnerabilities in Microsoft Windows Operating Systems]]
Hmmm, report coming out right in time for ms to drop support for windows 7
> That said, a properly patched and current Windows machine with commercial Firewall will keep you safe unless you are specifically targeted by a high-end hacker.
Exactly, and if you are targeted by one they will know hacks that aren’t patched here and still won’t be patched for a long long time.
Current IT security paradigms are employment programs for uncreative IT grads.
Right after I moved to W10 cuz a I had to...POW!...right in the kisser...
That’s a crazy way to do it. Better to get an external usb hard drive and make a bootable clonezilla thumb drive. Much much faster and much much less hassle.
Yep...
The inertia I have to try and overcome with some of my clients is ridiculous. Of course, if they fail to take my recommendations... and something bad happens, I still get the blame.
You win some, you lose some.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.