January 2020 Security Updates: CVE-2020-0601

The January security updates include several Important and Critical security updates. As always, we recommend that customers update their systems as quickly as practical. Details for the full set of updates released today can be found in the Security Update Guide.

We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities. Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.

This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems, including server versions (Windows Server 2016 and Windows Server 2019). This vulnerability is classed Important and we have not seen it used in active attacks. This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk. We encourage all security researchers to report potential vulnerabilities to us through our portal.

Another example of how we partner across industry is our Security Update Validation Program (SUVP). Through this program, select organizations from around the world receive limited and controlled access to evaluation versions of these updates so they can validate and verify interoperability in their test environments. These are release candidates for the purposes of application compatibility testing. Their feedback helps us to be able to ship quality security fixes to all customers on Update Tuesday. The SUVP program participants are not permitted to use the fixes except for this purpose.

Microsoft does not release updates for production deployment for any organization ahead of our regular Update Tuesday schedule. 

Through this set of commitments, we continue to deliver high-quality security fixes that help protect our customers.

– Mechele Gruhn, Principal Security Program Manager, MSRC

Related links:
Learn about Coordinated Vulnerability Disclosure
Learn about the Security Update Validation Program (SUVP)
Read the Microsoft Security Update Guide
Report a Security Vulnerability to Microsoft

Share