On Patch Tuesday this week, Microsoft patched a major security flaw. Now, security researchers has released a proof-of-concept (PoC) that shows the vulnerability can be exploited. The “Curveball” Windows flaw was reported to Microsoft by the United States National Security Agency (NSA) and deemed “dangerous”.
Known as Curveball, the vulnerability is found in CryptoAPI (Crypt32.dll), a Windows OS process that managed cryptographic functionality. Security researcher Tal Be’ery says the flaw is caused by a problematic use of Elliptic Curve Cryptography (ECC) in Microsoft’s Windows code.
Microsoft has confirmed a successful exploit of the bug (CVE-2020-0601) would allow attacks to fake email and file signatures, fake executable code on Windows, and launch man-in-the-middle (MitM) attacks.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
After reporting the flaw to Microsoft, the NSA went public. On Twitter, Acting Homeland Security Advisor Rob Joyce said the vulnerability is “seriously, seriously bad.”
“The vulnerability places Windows end points at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
However, the NSA was praised for acting quickly and openly, including a security alert (something the agency rarely does). The launch of an emergency directive pushed government agencies to patch their Windows machines within 10 days.
The vulnerability is something of a testing ground for the way NSA and Microsoft can function to prevent bugs being exploited. This is the first time the agency has reported a flaw to Redmond. Of course, this was an especially problematic flaw that needs to be patched ASAP.