Microsoft’s Patch Tuesday has come again and, with it, another highly publicized vulnerability, CVE-2020-0601. This week’s notification is particularly interesting since it was the National Security Agency (NSA) that discovered and reported the looming potential weakness to Microsoft, which was followed by an unprecedented public disclosure. The NSA’s Director of Cybersecurity, Anne Neuberger, confirmed that the NSA first reported this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. This disclosure apparently is related to a new initiative within the NSA to share important vulnerability findings on a more regular basis.
A lot of people are patting the NSA on the back for handling the vulnerability in such a responsible way. It’s certainly leaps and bounds above their last major vulnerability disclosure (EternalBlue), which came in the form of leaked NSA attack tools. That said, one of the responsibilities of the NSA is to collect intelligence, and to do that effectively you need to hack people and to hack people you need attack paths. Of course, the security agency can’t disclose all of those attack paths, and the fact they disclosed this one likely shows that the benefit of disclosing it outweighed the benefit of keeping it to themselves. It may have been an active attack in use for years, but those of us outside the intelligence community will probably never know.
Should you be concerned? In a nutshell, this vulnerability makes multiple forms of “man-in-the-middle” attacks possible. These are the types of attacks more likely to be used by advanced attackers, like nation states (like the NSA), than your eastern European ransomware groups that frequently target small and medium-sized companies. If you’re an organization that’s able to quickly and effectively deliver updates and patches, you don’t need to be overly concerned. Apply the latest Microsoft fixes using your standard process as soon as possible. This attack has implications for all Windows systems, so endpoints need to be updated, as well as servers, and this applies to internal systems as much as internet-facing systems.
A lot of organizations, though, do not fall into the category of being able to quickly and effectively deliver patches to their systems. If that describes your company, then you should be concerned, but not just about this particular vulnerability. In our consulting and audit practices, we find organizations that struggle with operational tasks, such as effective implementation of software updates, normally have a host of other security issues that are much easier to attack than a vulnerability like CVE-2020-0601. If your approach to patching is to never patch, particularly servers, or to only patch internet-facing systems, then your organization is probably at a very low security maturity level and would benefit greatly from outside help.
Good luck, don’t forget to test, backup and snapshot before you update. And if you use Citrix, don’t forget to put in place the remediation for CVE-2019-19781, which is a remotely exploitable Citrix server vulnerability that’s a higher risk than this latest Microsoft vulnerability.
The Schneider Downs cybersecurity practice consists of experts in multiple technical domain services, including security audits, assessments, penetration testing, incident response and indicator of compromise assessments. All organizations can benefit from one or more of our services. The benefit of being at a lower security maturity level is that you will typically get the most bang for your buck in terms of the number of findings and recommendations.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.