While Microsoft put a weak “important’ rating on CVE-2020-0601 the NSA (yes that NSA) has called it critical and severe. And since they found it, I am going to lay my bets with them.
Microsoft’s bulletin says it is code signing issues, NSA and others in the social media circles says it is much deeper.
Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
NSA: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
Key bit from the NSA release, note that domain controllers are specifically and purposely listed.
Again… Patch now.joe
