Patch your Windows 10 boxes.

[mdlbear]

If your Windows 10 boxes -- all of them, both desktops and servers, didn't apply the update that came out Tuesday, go do that now. You can chase the references below while the update is downloading.

Here's what Microsoft said about it when they released the patch. There are more details in the resource list below. Some of those go on to link to proof-of-concept exploits. Good luck!

h/t to @thnidu.

Resources

• NVD - CVE-2020-0601
• Windows 10 Has a Security Flaw So Severe the NSA Disclosed It | WIRED
• CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
• January 2020 Security Updates: CVE-2020-0601 - Microsoft Security Response Center
• CVE-2020-0601: a critical Windows vulnerability discovered by…NSA!

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

Comments

[ellenmillion]

Windows Updates stopped working on my machine altogether: it would try and try and then roll them back. I’ve moved to Mac and could not be happier.

[mdlbear]

:) I'm running Linux on my laptops (most of which are rescues); it's time for me to fire up the Mac mini to do my taxes on. The laptops are mostly dual-boot with Windows 7, which isn't vulnerable this time around.

[madfilkentist]

I've just gotten an assignment to write an article on the topic, so I'll be able to spread the word a little more. Regrettably, it's under a ghostwriting agreement, so I won't be able to tell people about it when it's published.

Something that just occurred to me: If the validation of certificates is broken, how do you know that your download of the security update hasn't been compromised?

[mdlbear]

Well, you could download the update using an OS that doesn't have broken crypto -- anything but Windows 10 would do. Possibly even Chrome or Firefox; both of those are statically linked to their own crypto libraries, if I remember correctly.

If you'd already installed the patch, you could test your system against any of the proof-of-concept exploits to make sure that the fix got installed. (That's less certain; additional malware could have been installed by an attacker along with the patch.)

If Windows holds on to the update file after installing it, you could compare at that point.

[moem]

There is not a single installation of Win10 running in this house.

[dreamshark]

Thanks for the reminder. My Windows machine had updated, but not really until I rebooted. Which I don't do every day because rebooting doesn't go all that smoothly with my dual-monitor docking station setup.

[mdlbear]

Welcome! Docking stations are tricky. What I do is undock (or disconnect the external monitor if I'm not using the dock) before I reboot, giving the OS and the GUI time to notice that they're gone. Reconnect after rebooting.

(Probably wouldn't be necessary if I wasn't using Linux and xmonad.)

Suspend is actually flakier; if I disconnect anything while the box is in the middle of suspending there's a good chance it will crash. Or fail to suspend, in which case it will be sitting in my backpack cooking itself.

[dreamshark]

Turning off the docking station while I bring up the laptop does seem to work best. The biggest issue is connecting to the two monitors. Sometimes only one comes up, or they come up in the wrong order, or occasionally the whole display setting gets whacked and they come up in pixelated mode. I also have a problem with some of my cherished older software that doesn't work terribly well on Windows 10. Every time I restart my beloved CompuPic image manager there is about a 1 in 4 chance that it will blow up and have to be reinstalled. But in almost 20 years of using it I have never found an image manager that compares in simplicity and power, so I keep reinstalling it.