NSA Makes Unprecedented Vulnerability Disclosure - Microsoft Vulnerability CVE-2020-0601

Microsoft’s Patch Tuesday has come again and, with it, another highly publicized vulnerability, CVE-2020-0601. This week’s notification is particularly interesting since it was the National Security Agency (NSA) that discovered and reported the looming potential weakness to Microsoft, which was followed by an unprecedented public disclosure. The NSA’s Director of Cybersecurity, Anne Neuberger, confirmed that the NSA first reported this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. This disclosure apparently is related to a new initiative within the NSA to share important vulnerability findings on a more regular basis.

A lot of people are patting the NSA on the back for handling the vulnerability in such a responsible way. It’s certainly leaps and bounds above their last major vulnerability disclosure (EternalBlue), which came in the form of leaked NSA attack tools. That said, one of the responsibilities of the NSA is to collect intelligence, and to do that effectively you need to hack people and to hack people you need attack paths. Of course, the security agency can’t disclose all of those attack paths, and the fact they disclosed this one likely shows that the benefit of disclosing it outweighed the benefit of keeping it to themselves. It may have been an active attack in use for years, but those of us outside the intelligence community will probably never know.

Should you be concerned? In a nutshell, this vulnerability makes multiple forms of “man-in-the-middle” attacks possible. These are the types of attacks more likely to be used by advanced attackers, like nation states (like the NSA), than your eastern European ransomware groups that frequently target small and medium-sized companies. If you’re an organization that’s able to quickly and effectively deliver updates and patches, you don’t need to be overly concerned. Apply the latest Microsoft fixes using your standard process as soon as possible. This attack has implications for all Windows systems, so endpoints need to be updated, as well as servers, and this applies to internal systems as much as internet-facing systems.

A lot of organizations, though, do not fall into the category of being able to quickly and effectively deliver patches to their systems. If that describes your company, then you should be concerned, but not just about this particular vulnerability. In our consulting and audit practices, we find organizations that struggle with operational tasks, such as effective implementation of software updates, normally have a host of other security issues that are much easier to attack than a vulnerability like CVE-2020-0601. If your approach to patching is to never patch, particularly servers, or to only patch internet-facing systems, then your organization is probably at a very low security maturity level and would benefit greatly from outside help.

Good luck, don’t forget to test, backup and snapshot before you update. And if you use Citrix, don’t forget to put in place the remediation for CVE-2019-19781, which is a remotely exploitable Citrix server vulnerability that’s a higher risk than this latest Microsoft vulnerability.

Helpful Links

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domain services, including security audits, assessments, penetration testing, incident response and indicator of compromise assessments. All organizations can benefit from one or more of our services. The benefit of being at a lower security maturity level is that you will typically get the most bang for your buck in terms of the number of findings and recommendations.

For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
How To Scope a SOC 2 Audit
Do I Need a SOC 2 Type 1 Before a SOC 2 Type 2?
Why Do CPA Firms Perform SOC 2 Audits?
What Financial Institutions Need to Know About R-SAT
Fact or Fiction: SOC 2
Cybersecurity BY Gary Muggli
NIST Introduces NISTIR 8374 to Tackle Ransomware Risk Management
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.