By Jon Munshaw.
 Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.

This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.

January's update is also the last that will provide free updates to Windows 7 and Windows Server 2008/2008 R2.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Critical vulnerabilities Microsoft disclosed eight critical vulnerabilities this month, all of which we will highlight below.

CVE-2020-0603, CVE-2020-0605, CVE-2020-0606 and CVE-2020-0646 are all remote code execution vulnerabilities in the .NET and ASP.NET core software. All four of these vulnerabilities can be triggered if a user opens a malicious, specially crafted file while using an affected version of .NET or ASP.NET Core. If successful, an attacker could then execute arbitrary code in the context of the current user. These bugs exist in how the software handles objects in memory.

CVE-2020-0609 and CVE-2020-0610 are remote code execution vulnerabilities in the Windows Remote Desktop Protocol Gateway Server. An attacker could exploit these bugs by sending a specially crafted request to the victim's system RDP Gateway via RDP. This vulnerability is pre-authentication and does not require any user interaction.

CVE-2020-0611 is a remote code execution vulnerability in the Windows Remote Desktop Protocol client. This vulnerability can be triggered if a user visits a malicious, specially crafted server. An attacker would need to trick the user into connecting to this server, either via a malicious file or a man-in-the-middle technique. The attacker could then execute arbitrary code on the victim's machine.

CVE-2020-0640 is a memory corruption vulnerability that exists in the way the Internet Explorer web browser handles objects in memory. An attacker could use this bug to corrupt the victim machine, and then gain the ability to execute arbitrary code. A user can trigger this vulnerability by visiting a malicious, attacker-controlled web page in Internet Explorer.

Important vulnerabilities This release also contains 41 important vulnerabilities, three of which we will highlight below.

CVE-2020-0601 is a spoofing vulnerability in Windows CryptoAPI. The specific component, crypt32.dll, improperly validates Elliptic Curve Cryptography certificates. An attacker could exploit this bug to spoof a code-signing certificate and secretly sign a file, making that file appear as if it is from a trusted source. A malicious actor could also use this vulnerability to conduct man-in-the-middle attacks and decrypt confidential information.

CVE-2020-0616 is a denial-of-service vulnerability in Windows due to the way the operating system handles hard links. An attacker needs to log onto the victim machine to exploit this bug, and then run a specially crafted application that would allow them to overwrite system files.

CVE-2020-0654 is a vulnerability in the OneDrive app for Android devices that could allow an attacker to bypass certain security features. If the user access a link to a file on a OneDrive folder a certain way, they could bypass the passcode or fingerprint requirements for the app.

The other important vulnerabilities are:

Coverage  In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are: 52593 - 52596, 52604, 52605

AMP Advanced Custom Detection (ACD) signature
While there can be multiple ways that an attacker can exploit CVE-2020-0601, AMP can be used to detect spoofed certificates that are masquerading as a Microsoft ECC Certificate Authority by adding an advanced custom detection signature. The process to add this signature can be found in the AMP documentation on page 33 in the Outbreak Control section under custom detections. The actual custom signature that needs to be added can be downloaded here.