Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Critical Vulnerabilities in Microsoft Windows Operating Systems (Alert AA20-O14a)
US CERT - Department of Homeland Security ^ | 14 January 2020 | US-CERT

Posted on 01/14/2020 12:01:09 PM PST by MeganC

Summary

New vulnerabilities are continually emerging, but the best defense against attackers exploiting patched vulnerabilities is simple: keep software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI and Windows Remote Desktop Protocol (RDP) server and client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:

CryptoAPI spoofing vulnerability – CVE-2020-0601: This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus.

Additionally, a maliciously crafted certificate could be issued for a hostname that did not authorize it, and a browser that relies on Windows CryptoAPI would not issue a warning, allowing an attacker to decrypt, modify, or inject data on user connections without detection.

Multiple Windows RDP vulnerabilities – CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611: These vulnerabilities affect Windows Server 2012 and newer. In addition, CVE-2020-0611 affects Windows 7 and newer. These vulnerabilities—in the Windows Remote Desktop client and RDP Gateway Server—allow for remote code execution, where arbitrary code could be run freely. The server vulnerabilities do not require authentication or user interaction and can be exploited by a specially crafted request. The client vulnerability can be exploited by convincing a user to connect to a malicious server.

(Excerpt) Read more at us-cert.gov ...


TOPICS:
KEYWORDS: exploit; hacking; microsoft; patch; windows
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-86 next last
To: Openurmind

That seems to be what Microsoft is doing windows is a broken mess.


21 posted on 01/14/2020 1:06:32 PM PST by datricker (Cut Taxes Repeal ACA Deport DACA - Americans First, Build the Wall, Lock her up MAGA!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Carpe Cerevisi

LOL

I might some day hehehehehe....


22 posted on 01/14/2020 1:19:05 PM PST by SaveFerris (Luke 17:28 ... as it was in the days of Lot; they did eat, they drank, they bought, they sold ......)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Mariner

First let me share that this is an honest and objective reply. Thank you. :)

But in the whole of things even an upgraded version of a MS app has it’s new learning curve. So it is not something everyone would not have to go through anyways, even with MS compatible ware. So it is practical if you don’t mind a little personal effort and want to finally remove that idiotic MS ball and chain of failure.

That is right, it is NOT windows and there will be a slight “adaptation” required. But it is no longer the mythical “black box with text” terminal everyone is visualizing, and no one but just a few of us argue against this antiquated false perception.

Have you tried this Mint 18.3 cinnamon yet? From the perception of a new linux user? It is basically win 7 in a linux wrapper concerning usability, function, and features. In fact you can make it emulate win XP and win 7 icons and all if you like and it would be hard to tell the difference. The whole stigma is that assumed black box terminal which is no longer even rarely needed if at all for a normal user.

That MS ball and chain of failure can indeed be completely removed to have peace of mind. And on top of that you can indeed gain superior security and rid yourself of all the sadistic tendencies imposed on you from MS.

It is now very easy to use, and yes a little personal effort and thinking will be required. But the benefits of this minimal effort far outweigh the slight inconvenience. And any average windows 7 user will feel right at home right away.

It is like trying to describe the color blue to the sight impaired, until they actually see it for themselves, they will never understand. What doesn’t help is others blind folding folks even if they can indeed see and willing to look.


23 posted on 01/14/2020 1:23:52 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 14 | View Replies]

To: MeganC

I said this when I called MS about Win 3.0, back in ???


24 posted on 01/14/2020 1:24:44 PM PST by Scrambler Bob (This is not /s. It is just as viable as any MSM 'information', maybe more so!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: datricker

That seems to be what Microsoft is doing windows is a broken mess.
= = =

Getting up to speed on slang, could that be called a Hot Mess?


25 posted on 01/14/2020 1:33:33 PM PST by Scrambler Bob (This is not /s. It is just as viable as any MSM 'information', maybe more so!)
[ Post Reply | Private Reply | To 21 | View Replies]

To: datricker

“That seems to be what Microsoft is doing windows is a broken mess.”

After running this version of mint for two years now without ever needing to update the system even once, a couple of the apps yes, but always to the positive, it has opened a new world of what a stable secure OS should really be like...

What an incredible difference with peace of mind... I have no clue what Microsoft is up to and I have discovered NONE of it is actually necessary at all. I don’t even need an antivirus, that alone is just fantastic in it’s self and worth all the minimal effort.


26 posted on 01/14/2020 1:37:09 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 21 | View Replies]

To: Mariner

Consider this... with the linux structure no changes can be made to the isolated system partition without getting through the locked door with a key to root it. So unless you gave the key to your ex old lady and she is pissed, you don’t have much to worry about or need “anti ex old lady” security updates... lol :)


27 posted on 01/14/2020 1:50:02 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Openurmind

thank you for your cogent reply.

I think our disagreement is about humanity’s ability to adopt something new.

If it is a leadership edict, it will be resisted. ESPECIALLY if it is an IT edict.

There’s the real learning curve, and then there’s the resistance curve, where every wrong thing (and there will be) is broadcast from the highest mountain, and every good thing is assumed to be normal and effortless.

As a result business disruption is likely to ensue.

The most a large IT organization can do is enforce Linux/Unix in the datacenter (only a fool would build an enterprise application that is not fully webified), and ALLOW IT in some standard, tested, supported and enforced version on the desktop. Thus it is likely to follow the path of Apple’s adoption in the enterprise.

Not unlike the early adoption of VoIP, some folks are scared of it, and most others skeptical.

Now enterprises routinely deliver voice traffic over WiFi/internet to a PC client anywhere in the world.


28 posted on 01/14/2020 1:54:24 PM PST by Mariner (War Criminal #18)
[ Post Reply | Private Reply | To 23 | View Replies]

To: MeganC
On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement

So it has been fixed in this update?

29 posted on 01/14/2020 1:54:31 PM PST by McGruff
[ Post Reply | Private Reply | To 1 | View Replies]

To: Openurmind

I consulted with an enterprise where all root password/UID were stored on an “unsecured server”, and most of them were shared, generic UIDs. Of course you also need a widely distributed UID/PWD to get into the “vault”.

The Unix admin boss said it was needed to facilitate timely restorals and vacation rotations lol

FAILED THE AUDIT!

These were privileged passwords. And they could change the configuration of nearly every Linux/Unix server in the very large enterprise. Medical enterprise. Patient care and PCI and HIPAA.


30 posted on 01/14/2020 2:04:04 PM PST by Mariner (War Criminal #18)
[ Post Reply | Private Reply | To 27 | View Replies]

To: Mariner

While it always tends to be the IT guys and those here who actually work for Microsoft who denounce and direct folks away from the advantages of Linux, I am seriously only focused with the real advantages for the average personal boob user who has limited tech ability and knowledge and their own personal key to root, if ever even needed.

I care about the older people here who really do not deserve this ignorant BS abuse from MS. I try to share that there is a way out of this MS mess forever, and that it is indeed very secure stable if you don’t share your personal key anywhere. Hard to argue with in intent and direction. And it is no harder to learn and migrate to than it was moving from Win XP to Win 7 and learning the new apps that would no longer work on Win XP.

It has come to the edge of the cliff, and despite popular belief, there is indeed something else to reach out and grab a hold of besides Microsoft... And better yet, also against popular belief, there is no law against it and it’s free with no proprietary control or regulation.


31 posted on 01/14/2020 2:25:02 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Openurmind

I don’t think I’ve ever seen anyone “denounce Linux” on this forum.


32 posted on 01/14/2020 2:28:47 PM PST by Mariner (War Criminal #18)
[ Post Reply | Private Reply | To 31 | View Replies]

To: Mariner

Oh trust me... It happens all the time... I know, I have been on a campaign against Microsoft ever since I found linux.

I can start pointing them out if you like...


33 posted on 01/14/2020 2:49:22 PM PST by Openurmind (The ultimate test of a moral society is the kind of world it leaves to its children. ~ D. Bonhoeffer)
[ Post Reply | Private Reply | To 32 | View Replies]

To: McGruff

“So it has been fixed in this update?”

Supposedly so. On my own computer the fix for the cryptographic vulnerability was bundled with the package that updated my laptop from build 1903 to 1909.


34 posted on 01/14/2020 3:17:37 PM PST by MeganC (There is nothing feminine about feminism.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: deoetdoctrinae; Abby4116; afraidfortherepublic; aft_lizard; AF_Blue; AppyPappy; arnoldc1; ...
Windows 10 Vulnerabilities - It's Patch Tuesday! ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to deoetdoctrinae for the ping!

35 posted on 01/14/2020 6:09:25 PM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government."`)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Openurmind; Mariner
Have you tried this Mint 18.3 cinnamon yet? From the perception of a new linux user? It is basically win 7 in a linux wrapper concerning usability, function, and features.

It is good but that is too much oversell once you get into more than basics and the ease and scope of customization via safe freeware. Anyway, as you well know (thanks again) I am running Mint on my older PC, though it took determination to get it to install and or enable wireless, and it is fast as it should be (4.2Ghz CPU and 16RAM).

But now who can tell me a simple way to create a shortcut key to resume from Sleep? Configuring a shortcut to Sleep is enabled, but not for waking it (doing so by USB devices is enabled in the BIOS), thus requiring pressing the power button.

I searched and complicated scripts are proffered for Mint to do this, but it should be easy (like it is in Windows).

Thanks. Grace and peace thru Jesus the Lord.

36 posted on 01/14/2020 7:02:12 PM PST by daniel1212 ( Trust the risen Lord Jesus to save you as a damned and destitute sinner + be baptized + follow Him)
[ Post Reply | Private Reply | To 23 | View Replies]

To: MeganC

I am waiting on Windows 11 to come out that will fix everything.....


37 posted on 01/14/2020 8:16:31 PM PST by minnesota_bound (homeless guy. He just has more money....)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mariner

#30 I keep my passwords on sticky notes on the edge of my display. Makes it easy for me.


38 posted on 01/14/2020 8:21:01 PM PST by minnesota_bound (homeless guy. He just has more money....)
[ Post Reply | Private Reply | To 30 | View Replies]

To: daniel1212

[[But now who can tell me a simple way to create a shortcut key to resume from Sleep?]]

With linux? On my linux desktop i just 1/2 click the start button on the tower to resume from sleep


39 posted on 01/14/2020 8:35:01 PM PST by Bob434
[ Post Reply | Private Reply | To 36 | View Replies]

To: daniel1212

[[thus requiring pressing the power button. ]]

Doh didn’t read far neough before answering- i see you are already aware of that-


40 posted on 01/14/2020 8:36:01 PM PST by Bob434
[ Post Reply | Private Reply | To 36 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-86 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson