Microsoft to patch ‘extraordinarily serious’ cryptographic flaw

Microsoft is expected to patch a critical security vulnerability found within a core cryptographic component in several iterations of its Windows operating system as part of its first Patch Tuesday of 2020.

The software update is slated to fix an “extraordinarily serious” flaw anchored in the crypt32.dll Windows component, according to security researcher Brian Krebs, who has had conversations with sources with knowledge of the vulnerability.

This vulnerability involves the cryptographic elements of Windows, including data encryption, and as such would be considered highly dangerous if exploited.

Organisations like the US military and firms directly tied with critical infrastructure, moreover, have reportedly been shipped the patch already. They have also allegedly been asked to sign agreements preventing disclosure prior to its public release.

Crypt32.dll has been a part of Windows OS releases for more than 20 years and is a core module that handles certificate and cryptographic messaging functions in the CryptoAPI.

RELATED RESOURCE

Patch management best practices

Reduce your patch management workload

FREE DOWNLOAD

This API offers developers the capacity to secure Windows-based applications with cryptography, including encrypting and decrypting data via digital certificates.

These CryptoAPI functions also include the CryptSignMessage function, which creates a hash of specific content, signs the hash, then encodes both the original message content and the signed hash.

The wide-reaching nature of the security implications, according to Krebs, ranges from compromising authentication on Windows desktops on servers to the protection of sensitive data.

Exploiting the flaw could also allow an attacker to spoof digital signatures, meaning malicious applications can be made to carry the known fingerprint of a legitimate developer.

Microsoft responded by suggesting it doesn’t discuss details of any flaws before updates are made available. The firm added it does not release production-ready updates ahead of regular Update Tuesday schedule.

“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities," senior director with Microsoft, Jeff Jones, told IT Pro.

"To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.

"At 10am PT, we will release this month’s updates and technical information as part of our regular Update Tuesday schedule.”

A Microsoft spokesperson added that it releases advanced versions of its updates to certain organisations through its Security Update Validation Program (SUVP) for testing purpoes. Participants in this scheme are not allowed to apply the fix to any system beyond this purpose.

The initial reports were partially corroborated by Will Dormann, a vulnerability analyst with the Carnegie Mellon Software Engineering Institute’s computer emergency response team, tweeted that people should pay “very close attention” to the forthcoming round of updates.

See more

Given crypt32.dll has been a part of Windows since Windows NT 4.0, the flaw is likely to be embedded in all previous iterations of the OS released since, including Windows 10, and legacy systems like Windows 7 and Windows XP.

Krebs added the NSA’s director of cybersecurity Anne Neuberger may host a call regarding a “current NSA cybersecurity issue”, which will coincide with the first Patch Tuesday of 2020.

IT Pro approached Microsoft for further information around the reported vulnerability and plans to release a patch.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.