Headline
January 2020 Security Updates: CVE-2020-0601
The January security updates include several Important and Critical security updates. As always, we recommend that customers update their systems as quickly as practical. Details for the full set of updates released today can be found in the Security Update Guide. We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities.
The January security updates include several Important and Critical security updates. As always, we recommend that customers update their systems as quickly as practical. Details for the full set of updates released today can be found in the Security Update Guide.
We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities. Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.
This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems, including server versions (Windows Server 2016 and Windows Server 2019). This vulnerability is classed Important and we have not seen it used in active attacks. This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk. We encourage all security researchers to report potential vulnerabilities to us through our portal.
Another example of how we partner across industry is our Security Update Validation Program (SUVP). Through this program, select organizations from around the world receive limited and controlled access to evaluation versions of these updates so they can validate and verify interoperability in their test environments. These are release candidates for the purposes of application compatibility testing. Their feedback helps us to be able to ship quality security fixes to all customers on Update Tuesday. The SUVP program participants are not permitted to use the fixes except for this purpose.
Microsoft does not release updates for production deployment for any organization ahead of our regular Update Tuesday schedule.
Through this set of commitments, we continue to deliver high-quality security fixes that help protect our customers.
– Mechele Gruhn, Principal Security Program Manager, MSRC
Related links: Learn about Coordinated Vulnerability Disclosure
Learn about the Security Update Validation Program (SUVP)
Read the Microsoft Security Update Guide
Report a Security Vulnerability to Microsoft
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.