Microsoft has released a patch for a serious leak in Windows. This allows attackers to use digital certificates spoof. By exploiting that, encrypted communication can be tapped or one man-in-the-middle attack.
It’s about a vulnerability Crypt32.dll, a component within Windows that validates certificates. The vulnerability in Crypt32.dll makes it possible to spoof Elliptic Curve Cryptography or ecc certificates. Windows creates such ecc certificates, among other things, when handling https traffic. All functions in Windows that try to validate an X.509 certificate against a trusted root certificate authority can be tricked by the vulnerability in CryptoAPI to think that a counterfeit certificate is legitimate. It concerns almost all applications that have to do with communication that is encrypted via tls. An attacker could exploit the vulnerability to, for example, an infected person executable to get in on a system. After an infection, an attacker can take one man-in-the-middle carry out an attack, or listen to communications from the system. The vulnerability is in both 32-bit and 64-bit versions of Windows 10. Windows Server 2016 and Windows Server 2019 are also vulnerable. According to Microsoft, there are currently no signs that the leak was abused in the wild.
The vulnerability gets the code CVE-2020-0601 along. Microsoft released a fix for the vulnerability Tuesday during the monthly Patch Tuesday. Earlier it went through some media already speculated that the company would abandon the regular update schedule to close the leak, because that would be so serious that a repair had to be done immediately. That turns out to be better than expected. The vulnerability was discovered by the American intelligence service NSA, who passed it on to Microsoft. The NSA has often received criticism in the past because it uses such important gaps in the software itself to perform intelligence missions. The NSA had previously lost control of one such zeroday, called EternalBlue. Later the service went to warn companies to apply a patch for that. Meanwhile, the US government itself issued a warning for this leak. The NSA itself has too a detailed description of the vulnerability published.
Microsoft classifies the update as “Important” and recommends that companies install it as quickly as possible. The NSA also warns against this. “The consequences of not patching this vulnerability are large and widespread,” writes the intelligence service in his description. “Tools that can exploit this from a distance are likely to be created and distributed quickly.”