Microsoft releases patch for bug that allows certificate spoofing

Spread the love

Microsoft has released a patch for a serious vulnerability in Windows. This allows attackers to spoof digital certificates. By exploiting that, encrypted communications can be tapped or a man-in-the-middle attack can be carried out.

It concerns a vulnerability in Crypt32.dll, a component within Windows that validates certificates. The vulnerability in Crypt32.dll makes it possible to spoof Elliptic Curve Cryptography, or ECC certificates. Windows creates such ecc certificates when handling https traffic, among other things. Any functions in Windows that attempt to validate an X.509 certificate against a trusted root certificate authority can be tricked into thinking that a counterfeit certificate is legitimate through the CryptoAPI vulnerability. This concerns almost all applications that have to do with communication that is encrypted via TLS. An attacker can exploit the vulnerability to, for example, get an infected executable on a system. After an infection, an attacker can perform a man-in-the-middle attack, or eavesdrop on communications from the system. The vulnerability is found in both 32 and 64-bit versions of Windows 10. Windows Server 2016 and Windows Server 2019 are also vulnerable. According to Microsoft, there are currently no signs that the vulnerability has been exploited in the wild.

The vulnerability is assigned the code CVE-2020-0601. Microsoft released a fix for the vulnerability on Tuesday during its monthly Patch Tuesday. It is known as KB4534306. Previously, some media speculated that the company would move away from the regular update schedule to close the leak, because it would be so serious that an immediate repair was needed. That turns out to be okay in the end. The vulnerability was discovered by the American intelligence agency NSA, who passed it on to Microsoft. The NSA has often been criticized in the past for using such key holes in software itself to conduct intelligence missions. Earlier, the NSA already lost control of one such zero day, called EternalBlue. Later, the service warned companies to apply a patch for it. The US government has since issued a warning about this leak. The NSA itself has also published a detailed description of the vulnerability.

Microsoft classifies the update as “Important” and recommends that companies install it as soon as possible. The NSA also warns against this. “The consequences of not patching this vulnerability are significant and widespread,” the intelligence agency writes in its description. “Tools that can exploit this from a distance are likely to be created and distributed quickly.”

You might also like