Patch your Windows 10 boxes.

[mdlbear]

If your Windows 10 boxes -- all of them, both desktops and servers, didn't apply the update that came out Tuesday, go do that now. You can chase the references below while the update is downloading.

Here's what Microsoft said about it when they released the patch. There are more details in the resource list below. Some of those go on to link to proof-of-concept exploits. Good luck!

h/t to @thnidu.

Resources

• NVD - CVE-2020-0601
• Windows 10 Has a Security Flaw So Severe the NSA Disclosed It | WIRED
• CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
• January 2020 Security Updates: CVE-2020-0601 - Microsoft Security Response Center
• CVE-2020-0601: a critical Windows vulnerability discovered by…NSA!

Another fine post from The Computer Curmudgeon (also at computer-curmudgeon.com).
Donation buttons in profile.

Comments

[mdlbear]

Well, you could download the update using an OS that doesn't have broken crypto -- anything but Windows 10 would do. Possibly even Chrome or Firefox; both of those are statically linked to their own crypto libraries, if I remember correctly.

If you'd already installed the patch, you could test your system against any of the proof-of-concept exploits to make sure that the fix got installed. (That's less certain; additional malware could have been installed by an attacker along with the patch.)

If Windows holds on to the update file after installing it, you could compare at that point.