The Cybersecurity Advisory of the National Security Agency (NSA) has recently uncovered a critical Windows CryptoAPI Spoofing Vulnerability in Windows 10 operating systems.
Dubbed NSACrypt, the security flaw found in the Crypt32.dll module enables remote code execution and affects the way Windows verifies cryptographic trust.
Signed files and emails, HTTPS connections and signed executable code launched as user-mode processes are some examples where the validation process may be exploited by an attacker.
In a successful attack, “the user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” said the report.
How can users and business protect their systems? As there is no workaround for this type of vulnerability, the “NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible.” If automated patching is not possible for enterprises, they should at least “prioritize patching endpoints that provide essential or broadly replied-upon services” such as endpoints directly exposed to the Internet or used by privileged users.
Mechele Gruhn, the head Security Program Manager from Microsoft also confirmed the security flaw in separate blog post on Jan. 14.
“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems,” said Gruhn. “This vulnerability is classed Important and we have not seen it used in active attacks.”
Eight of the 49 vulnerabilities patched in the January 2020 Patch Tuesday released by Microsoft are flagged critical.
Worthy mentions in this month’s batch of security updates are also CVE-2020-0609 and CVE-2020-0610, two remote execution bugs found in the RDP Gateway services that require no user interactions to be exploited by unauthorized parties.
Although the no exploitation of the vulnerabilities has been reported in the whild, it’s better to be safe than sorry, and downloading the latest Windows update is highly recommended.