Critical vulnerabilities in Microsoft Windows

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:25am, 15 January 2020

TLP Rating: Clear

Critical vulnerabilities in Microsoft Windows

As part of this month’s patch cycle, Microsoft has released an update which patches several critical vulnerabilities. 

Three vulnerabilities are in the RDP service. CVE-2020-0609 and CVE-2020-0610 allow for unauthenticated remote execution in the RDP server. CVE-2020-0611 allows for remote execution in an RDP client when it connects to a malicious server.

Microsoft has also patched a critical vulnerability in Windows’ CryptoAPI. This vulnerability, CVE-2020-0601, would allow attackers to craft malicious X.509 cryptographic certificate chains which could spoof an arbitrary issuer.

What's happening

Systems affected

The CryptoAPI vulnerability (CVE-2020-0601 External Link ) affects:

  • Windows Server 2016, 2019
  • Windows 10

The RDP server vulnerabilities (CVE-2020-0609 External Link and CVE-2020-0610 External Link ) affects:

  • Windows Server 2012, 2016, 2019

The RDP client vulnerability (CVE-2020-0611 External Link ) affects:

  • Windows Server 2008, 2012, 2016, 2019
  • Windows 7, 8.1, 10

What this means

While it is normal for Microsoft to release monthly patches, the January 2020 release addresses critical vulnerabilities that are likely to be exploited by attackers, either individually or in combination.

With CVE-2020-0609 and CVE-2020-0610 attackers can execute arbitrary code on open RDP services, allowing full access to the machine.

With CVE-2020-0611 attackers can execute arbitrary code on a victim’s machine when the victim’s RDP client connects to their malicious RDP server.

With CVE-2020-0601 attackers can man-in-the-middle encrypted traffic that relies on the Windows CryptoAPI for certificate verification. It would also allow for the spoofing of valid code signatures, including driver software, which enables malicious software to appear to have been created by trusted sources.

What to look for

How to tell if you're at risk

Systems are vulnerable if they’re running an affected version of Windows, and have not had the January 2020 Windows updates applied.

Affected versions are:

  • Windows Server 2008, 2012, 2016, 2019
  • Windows 7, 8.1, 10

What to do

Prevention

Ensure all vulnerable Windows systems on your network are patched with the January 2020 updates as soon as possible.

These patches should be considered urgent. If it’s difficult to apply them to all affected devices immediately, prioritise the devices that are:

  • exposed to the internet – especially if running RDP
  • used by administrators and high-privileged users, or
  • used for business-sensitive purposes.

More information

Read more information on Microsoft’s website on each vulnerability:

NZ's NCSC have issued an advisory on the issue:

NCSC's advisory External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384