Today Is One Patch Tuesday That You May Want To Take Seriously… Microsoft May Be About To Patch A Serious Flaw In Windows [UPDATED]

To be honest, every Patch Tuesday should be taken seriously as the bugs that are fixed on Patch Tuesday are usually exploited by hackers 24 hours later with the targets being those who have not updated on Patch Tuesday. Having said that, today’s Patch Tuesday may be more important than usual because of this discovery by Brian Krebs:

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

If this is true, this is a big deal and you should patch all the things the second that this fix becomes available. Because based on the above description, any exploit that leverages this flaw will be serious and highly damaging. Assuming exploits aren’t already out there. I’ll update this post as soon as I get more info on this.

UPDATE: This is likely the first of many updates on this story. The NSA just held a press briefing and according to the Washington Post they confirmed that they found a flaw that matches the description that Brian Krebs reported and alerted Microsoft. That’s a major shift for the NSA as they tend not to report such flaws and instead weaponize them. That officially makes this a big deal and you should patch all your Windows computers the second this becomes available.

UPDATE #2: I posted this Tweet with a link to the Microsoft write up about this issue a few minutes ago:

But as informational as that is, what you actually want to read is the CERT document on this. I had a look and this bug is incredibly bad. This summary has all you need to know:

The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.

In English, that means that an attacker can use a fake certificate to look at data that should be encrypted at all times. Thus I will reiterate what I said earlier in this post. As soon as the patch comes out, patch all the things.

Leave a Reply

%d bloggers like this: