Microsoft released a patch for vulnerability CVE-2020-0601 on January 14, 2020. CVE-2020-0601 is a vulnerability that malicious parties can exploit to bypass the validation mechanisms of Windows CryptoAPI. This vulnerability allows malicious parties to spoof code-signing certificates to sign malware, making the malware seen as originating from a trusted source. Alibaba Cloud has synchronized this update to the Windows system update source. We recommend that you update the operating system of your ECS instance with the latest patches at your earliest convenience.
- Vulnerability number: CVE-2020-0601
- Vulnerability severity: critical
- Patch update time: January 14, 2020
- Affected versions:
- Windows 10
- Windows Server 2016
- Windows Server 2019
- Windows Server Version 1809
- Windows Server Version 1903
- Windows Server Version 1909
Vulnerability CVE-2020-0601 exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, and poses critical security risks to the following trusted entities:
- HTTPS connections
- Signed files and emails
- Signed executable programs that are started in user mode.
Malicious parties can exploit this vulnerability to spoof code-signing certificates that can be used to sign malicious files or to launch man-in-the-middle attacks to decrypt confidential information over user connections to the affected software.
Install the patch at your earliest convenience.
You can install the patch for vulnerability CVE-2020-0601 by using one of the following methods:
- Method 1: Use the Windows Update program to install the new security updates released in January 2020 or all the security updates.
- Method 2: Visit the official Microsoft website to download the patch from CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability.
Alibaba Cloud Computing Ltd.
If you have any requests or feedback, submit a ticket to contact Alibaba Cloud.