Does CVE-2020-0601 (CRYPT32.DLL critical exploit) affect Windows 7 and is there a patch to fix it?

Question

I'm getting conflicting reports.

Search in Google: "windows 7" fix CVE-2020-0601

The top result (from PCWorld) claims that "contrary to earlier rumors, it does not affect Windows 7".

Scrolling down finds a bunch of articles that claim it affects Windows 7 and newer.

Can anyone confirm if the exploit affects Windows 7, and if so is there going to be a patch available despite end of support?

(For reference: there have been a few cases of extremely bad vulnerabilities in Windows XP that got patched anyway over the years, which provides a good precedent for this to get patched in Windows 7 if applicable)

I have the same question! To the people posting Answers that "Windows 7 was not listed on the advisories", that could be because Windows 7 (and Windows Server 2008r2) went out of support 2020-01-14, the same day that the advisories were published. The fact that Microsoft did not list an end-of-life product does not mean anything. I'd like an Answer linking to conclusive hand-on testing that Win7 is not vulnerable. — Mike Ounsworth, Jan 17 '20 at 01:28
I'm installing windows 7 in a VM right now, going to try it. — xorist, Jan 17 '20 at 02:38
Kenna Security posted that it does affect Windows 7 -- https://www.kennasecurity.com/blog/cve-2020-0601-faq/ — atdre, Jan 17 '20 at 02:26

score 6 · Accepted Answer · answered Jan 17 '20 at 03:25

After seeing multiple answers with mixed conclusions here and in Google searches, as well as no thorough explanations on whether or not Windows 7 is effected by this vulnerability, I took it upon myself to determine the true answer and show my testing process.

Below are screenshots of a fresh Windows 10 installation in a Virtual Machine(VM) within which I use a website (https://curveballtest.com/) that has Proof-Of-Concepts(PoC) available for this vulnerability, this is a control to prove this is working.

Windows 10

Information about the Windows 10 installation.

Showing the https://curveballtest.com/ PoC for spoofing certificates for HTTPS working on the Windows 10 installation.

Showing the https://curveballtest.com/ PoC for spoofing signing for an executable working on the Windows 10 installation.

Now I have also created a fresh Windows 7 installation in a VM, below are the results for the https://curveballtest.com/ PoCs.

Windows 7

Information about the Windows 7 installation.

Showing the https://curveballtest.com/ PoC for spoofing certificates for HTTPS NOT working on the Windows 7 installation.

Showing the https://curveballtest.com/ PoC for spoofing signing for an executable NOT working on the Windows 7 installation.

From this testing, we can effectively conclude that Windows 7 is NOT vulnerable to CVE-2020-0601.

I tested https://curveballtest.com/ with a Windows 7 (SP1 Enterprise) and I got the "You are Vulnerable" ... — Whysmerhill, Jan 17 '20 at 07:59
Interesting, if that's true you should make a new answer showing your findings — xorist, Jan 17 '20 at 15:38

Stevadson · Answer 2 · 2020-01-17T05:27:35.450

This post on the SANS ISC InfoSec Forums website states

Windows 7 is not affected. . .The affected library, crypt32.dll (CryptoAPI), is present in older versions of Windows, including Windows 7. But not all versions of this library are affected.

and CMU CERT Coordination Center Vulnerability Note VU#849224 explains

Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.

Does CVE-2020-0601 (CRYPT32.DLL critical exploit) affect Windows 7 and is there a patch to fix it?

2 Answers2