Temporary Remote Course Instruction effective Wednesday, Sept. 23 Read More »

Microsoft Releases January Updates

Last Updated: 02/26/2020

Security Notice Level

SEVERE

Microsoft has released the January updates to their software. Some of these updates address vulnerabilities that may allow a remote attacker to take control of a system. The Office of Information Security (OIS) advises owners of the software listed below to update as soon as possible.

Items of note:

  • There are multiple RDP vulnerabilities (Windows Remote Desktop client and RDP Gateway Server) that affect Windows Server 2012 and newer versions, and Windows 7 and newer versions. This is pre-authentication and requires no user interaction. A remote attacker may be able to take complete control of the system. 
  • There is a CryptoAPI spoofing vulnerability reported to Microsoft by the NSA that affects all machines running Windows 10 and Windows Server 2016 and Windows 2019. This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization. This could deceive users or thwart malware detection methods such as antivirus. [1] 
  • Microsoft has discontinued support for Windows 7 on January 14, 2020 and will no longer provide free software updates and security patches. [2] OIS recommends you upgrade to Windows 10 as soon as possible. 

Affected Software

  • Microsoft Windows 
  • Internet Explorer 
  • Microsoft Office and Microsoft Office Services and Web Apps 
  • ASP.NET Core 
  • .NET Core 
  • .NET Framework 
  • OneDrive for Android 
  • Microsoft Dynamics 

Security Bulletin Name

Release Notes: January 2020 Security Updates

Additional Information

Additional information about these vulnerabilities can be viewed at:

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Jan
[1]  https://www.us-cert.gov/ncas/alerts/aa20-014a 
[2]  https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020 

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or oithelp@colorado.edu. IT Service Center Hours.

Definitions for this notice:
Urgent: severity represents a broad threat to the entire campus community including remotely exploitable administrator or root type attacks.
Severe: severity includes worms & web or email based exploits. 
Important: severity includes viruses and local exploits for commonly used services.