Microsoft to patch ‘extraordinarily serious’ cryptographic flaw

The fix has already been shipped to high-value organisations like the US military, according to reports

Microsoft is expected to patch a critical security vulnerability found within a core cryptographic component in several iterations of its Windows operating system as part of its first Patch Tuesday of 2020.

The software update is slated to fix an “extraordinarily serious” flaw anchored in the crypt32.dll Windows component, according to security researcher Brian Krebs, who has had conversations with sources with knowledge of the vulnerability

This vulnerability involves the cryptographic elements of Windows, including data encryption, and as such would be considered highly dangerous if exploited.

Organisations like the US military and firms directly tied with critical infrastructure, moreover, have reportedly been shipped the patch already. They have also allegedly been asked to sign agreements preventing disclosure prior to its public release.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Crypt32.dll has been a part of Windows OS releases for more than 20 years and is a core module that handles certificate and cryptographic messaging functions in the CryptoAPI.

Related Resource

Patch management best practices

Reduce your patch management workload

Download now

This API offers developers the capacity to secure Windows-based applications with cryptography, including encrypting and decrypting data via digital certificates.

These CryptoAPI functions also include the CryptSignMessage function, which creates a hash of specific content, signs the hash, then encodes both the original message content and the signed hash. 

The wide-reaching nature of the security implications, according to Krebs, ranges from compromising authentication on Windows desktops on servers to the protection of sensitive data.

Exploiting the flaw could also allow an attacker to spoof digital signatures, meaning malicious applications can be made to carry the known fingerprint of a legitimate developer.

Microsoft responded by suggesting it doesn’t discuss details of any flaws before updates are made available. The firm added it does not release production-ready updates ahead of regular Update Tuesday schedule. 

“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities," senior director with Microsoft, Jeff Jones, told IT Pro.

"To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.

"At 10am PT, we will release this month’s updates and technical information as part of our regular Update Tuesday schedule.”

A Microsoft spokesperson added that it releases advanced versions of its updates to certain organisations through its Security Update Validation Program (SUVP) for testing purpoes. Participants in this scheme are not allowed to apply the fix to any system beyond this purpose.

Advertisement
Advertisement - Article continues below

The initial reports were partially corroborated by Will Dormann, a vulnerability analyst with the Carnegie Mellon Software Engineering Institute’s computer emergency response team, tweeted that people should pay “very close attention” to the forthcoming round of updates.

Given crypt32.dll has been a part of Windows since Windows NT 4.0, the flaw is likely to be embedded in all previous iterations of the OS released since, including Windows 10, and legacy systems like Windows 7 and Windows XP.

Advertisement - Article continues below

Krebs added the NSA’s director of cybersecurity Anne Neuberger may host a call regarding a “current NSA cybersecurity issue”, which will coincide with the first Patch Tuesday of 2020.

IT Pro approached Microsoft for further information around the reported vulnerability and plans to release a patch.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020