Microsoft to patch ‘extraordinarily serious’ cryptographic flaw

The fix has already been shipped to high-value organisations like the US military, according to reports

Microsoft is expected to patch a critical security vulnerability found within a core cryptographic component in several iterations of its Windows operating system as part of its first Patch Tuesday of 2020.

The software update is slated to fix an “extraordinarily serious” flaw anchored in the crypt32.dll Windows component, according to security researcher Brian Krebs, who has had conversations with sources with knowledge of the vulnerability

This vulnerability involves the cryptographic elements of Windows, including data encryption, and as such would be considered highly dangerous if exploited.

Organisations like the US military and firms directly tied with critical infrastructure, moreover, have reportedly been shipped the patch already. They have also allegedly been asked to sign agreements preventing disclosure prior to its public release.

Crypt32.dll has been a part of Windows OS releases for more than 20 years and is a core module that handles certificate and cryptographic messaging functions in the CryptoAPI.

Related Resource

Patch management best practices

Reduce your patch management workload

Download now

This API offers developers the capacity to secure Windows-based applications with cryptography, including encrypting and decrypting data via digital certificates.

These CryptoAPI functions also include the CryptSignMessage function, which creates a hash of specific content, signs the hash, then encodes both the original message content and the signed hash. 

The wide-reaching nature of the security implications, according to Krebs, ranges from compromising authentication on Windows desktops on servers to the protection of sensitive data.

Exploiting the flaw could also allow an attacker to spoof digital signatures, meaning malicious applications can be made to carry the known fingerprint of a legitimate developer.

Microsoft responded by suggesting it doesn’t discuss details of any flaws before updates are made available. The firm added it does not release production-ready updates ahead of regular Update Tuesday schedule. 

“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities," senior director with Microsoft, Jeff Jones, told IT Pro.

"To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.

"At 10am PT, we will release this month’s updates and technical information as part of our regular Update Tuesday schedule.”

A Microsoft spokesperson added that it releases advanced versions of its updates to certain organisations through its Security Update Validation Program (SUVP) for testing purpoes. Participants in this scheme are not allowed to apply the fix to any system beyond this purpose.

The initial reports were partially corroborated by Will Dormann, a vulnerability analyst with the Carnegie Mellon Software Engineering Institute’s computer emergency response team, tweeted that people should pay “very close attention” to the forthcoming round of updates.

Given crypt32.dll has been a part of Windows since Windows NT 4.0, the flaw is likely to be embedded in all previous iterations of the OS released since, including Windows 10, and legacy systems like Windows 7 and Windows XP.

Krebs added the NSA’s director of cybersecurity Anne Neuberger may host a call regarding a “current NSA cybersecurity issue”, which will coincide with the first Patch Tuesday of 2020.

IT Pro approached Microsoft for further information around the reported vulnerability and plans to release a patch.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021