Notes on CVE-2020-0601

In the January 2020 Patch Tuesday, Micrcosoft patches vulnerability CVE-2020-601.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
The NSA gave notice for everyone to patch immediately. Here are some notes I collected on the threat this vulnerability causes.

The flaw is in the ECC crypto in Microsoft Crypto Library.

  • Most code signing uses RSA crypto
  • Biggest threat is to TLS protocols which could allow a bad guy to create a MIM attack (man in the middle)
  • The Chrome and Firefox browsers do not use Microsoft CRYPTO library so no risk for MIM there
  • IE and Edge use the Microsoft CRYPTO so they are vulnerable.

Bottom line: Patch.