Microsoft released a patch for vulnerability CVE-2020-0601 on January 14, 2020. CVE-2020-0601 is a vulnerability that malicious parties can exploit to bypass the validation mechanisms of Windows CryptoAPI. This vulnerability allows malicious parties to spoof code-signing certificates to sign malware, making the malware seen as originating from a trusted source. Alibaba Cloud has synchronized this update to the Windows system update source. We recommend that you update the operating system of your ECS instance with the latest patches at your earliest convenience.

Detected vulnerability

  • Vulnerability number: CVE-2020-0601
  • Vulnerability severity: critical
  • Patch update time: January 14, 2020
  • Affected versions:
    • Windows 10
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server Version 1809
    • Windows Server Version 1903
    • Windows Server Version 1909

Details

Vulnerability CVE-2020-0601 exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, and poses critical security risks to the following trusted entities:

  • HTTPS connections
  • Signed files and emails
  • Signed executable programs that are started in user mode

Malicious parties can exploit this vulnerability to spoof code-signing certificates that can be used to sign malicious files or to launch man-in-the-middle attacks to decrypt confidential information over user connections to the affected software.

Security suggestion

Install the patch for vulnerability CVE-2020-0601 at your earliest convenience.

Solution

You can install the patch for vulnerability CVE-2020-0601 by using one of the following methods:

Announcing party

Alibaba Cloud Computing Co., Ltd.

If you have any requests or feedback, submit a ticket to contact Alibaba Cloud.