ALERT — Microsoft cryptography systems vulnerability

January 15, 2020 · frtg · 1 min read

On 14 January, the National Security Agency (NSA) issued a notice detailing a vulnerability affecting Microsoft Windows systems (Windows 10, Windows Server 2016/2019).

The vulnerability (CVE-2020-0601) impacts certificate validation processes and may be exploited through multiple vectors and attack paths:

HTTPS connections
files and emails signed with certificates
executables signed with certificates

Mitigation

We recommend maintaining current patch levels by applying the current month’s security updates as soon as possible, increasing monitoring intensity on critical systems and particularly on systems exposed to public networks. Organizations managing complex certificate infrastructures should consider engaging Cybersecurity Advisory resources to validate their validation chain implementations against this class of cryptographic bypass.

Sources

Microsoft Security Advisory:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Mitigation

Sources

Cookie & Privacy