Researchers security published today proof-of-concept (PoC) code for exploiting the crypto bug that the NSA discovered and reported to Microsoft. The vulnerability was affecting Windows, but it has now been fixed after Microsoft products included it in patch Tuesday January 2020.
Some have called the error "CurveBall", And as we have mentioned in previous article, affects it CryptoAPI (Crypt32.dll), a key component of Windows.
Researcher Tal Be'ery analyzed it error "The cause of this vulnerability is the incorrect application of Elliptic Curve Cryptography (ECC) in Microsoft code," he said.
According to the NSA, DHS and Microsoft, exploiting this vulnerability (CVE-2020-0601) could allow an attacker to commit Man-in-the-middle attack, to acquire access in sensitive information, create fake certificates, etc.
Security experts characterize the vulnerability critical.
This is the first time the NSA has reported an error to Microsoft. The authorities have given the government 10 days services to install the Microsoft January 2020 Patch.
Researchers published proof-of-concept exploits
The first researcher to deal with the CurveBall vulnerability was O Saleem Rashid, which created a proof-of-concept code for fake TLS certificates. This way the sites look legitimate. Rashid did not publish his code, but some other researchers did so just hours later. The first public CurveBall exploit came from the company Kudelski Security. It was followed by a second exploit by a Danish researcher by the name Ollypwn.
After the exploits are released, the chances of an attack increase, so users need to install the new update. The good news, for those who haven't received the patch yet, is that Windows Defender has received updates to detect exploitation efforts and alert them users.