Search This Site

 

Main menu

Dangerous Microsoft Vulnerability - Apply January 2020 Patch Tuesday patches ASAP

On February 6, 2020, blocking any unpatched Windows 10 computers from the High Security Virtual Private Network (HSVPN) begins.

Update February 4, 2020: On January 14, 2020, the National Security Agency (NSA) issued an advisory about a critical Microsoft vulnerability affecting the Microsoft Windows cryptographic functionality. A note was sent that evening to UVA LSPs, recommending everyone install the patch as soon as possible. We also announced that we will block unpatched devices attempting to access the High Security Virtual Private Network (HSVPN) on Friday, January 24th.  However, as a result of complexities identifying the presence of this specific patch, we were unable to block as originally planned. The issues with identifying the patch have now been resolved (and tested). Therefore, we will begin blocking any non-patched Windows machines connecting to the High Security VPN starting on Thursday, February 6, 2020. 


Posted: January 15, 2020

National Security Agency (NSA) Finds Dangerous Microsoft Vulnerability

Summary

The National Security Agency (NSA) issued an advisory that Microsoft patches released on January 14, 2020, need to be applied immediately.

This patch provides updates to plug 50 security holes in various Windows and related software.  The patch includes a fix for a flaw in Windows 10 and server equivalents of this operating system.  The flaw makes the device vulnerable to cyber attacks.

 

Impact

According to the advisory (PDF) released by the NSA, the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

The exploitation of this vulnerability has already occurred – happening much sooner than experts predicted. With this weakness, attackers can impersonate everything from trusted websites to the source of software updates for Windows and other programs. Examples, where validation of trust may be impacted, include HTTPS connections and signed files and emails.

 

Vulnerable

The vulnerability applies to users that own devices that use a Windows 10 operating system and server equivalents of this operating system. 

To learn how to find which version of Windows operating system your PC is running go to https://support.microsoft.com/en-us/help/13443/windows-which-version-am-i-running

 

Recommendations

If you are running a Windows 10 operating system the patches will be pushed to you directly over the Internet. 

Windows 10 offers you the choice of when and how to get the latest updates to keep your device running smoothly and securely.  Here's how to manually check that the latest recommended updates are applied, select the Start button, then select Settings  > Update & Security  > Windows Update .

If you have any concerns you may follow up with your LSP to ensure that your computer has been updated or contact the UVA Help Desk at  434-924-4357 or by emailing 4help@virginia.edu.

UVA Information Technology Services (ITS) will begin blocking unpatched devices attempting to access the High-Security Virtual Private Network (HSVPN) on Friday, January 24th.

References

[1] https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

[2] https://krebsonsecurity.com/2020/01/patch-tuesday-january-2020-edition/

[3] https://support.microsoft.com/en-us/help/13443/windows-which-version-am-i-running

 

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form