Skip to main content
banner image
venafi logo

Major Cryptographic Flaw Revealed on First 2020 Patch Tuesday: Patch Your Systems as Soon as Possible

Major Cryptographic Flaw Revealed on First 2020 Patch Tuesday: Patch Your Systems as Soon as Possible

Image of Microsoft sign in front of a Microsoft office
January 14, 2020 | Anastasios Arampatzis

While everyone was wondering

what the first Patch Tuesday for 2020 will include, Brian Krebs disclosed on his website that the imminent Windows update will “fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.”

According to Krebs, the vulnerability in question resides in a Windows component known as crypt32.dll, which is a Windows module that, according to Microsoft, “implements many of the Certificate and Cryptographic Messaging functions in the CryptoAPI.” The Microsoft CryptoAPI is included in all Windows OS and provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

The Crypto API was first introduced in Windows NT 4.0 and enhanced in subsequent versions. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).




A Critical Vulnerability in the CryptoAPI

could have far-reaching security implications for several important Windows functions, including user authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s browsers, as well as a number of third-party applications and tools.

And it only gets worse. A flaw in crypt32.dll might also be abused to spoof the code signing of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

Responding to a request for comment, Microsoft said that “it does not discuss the details of reported vulnerabilities before an update is available.” The company also said in a written statement that “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments. Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

The latter is of a high importance since Brian Krebs had valid information that “Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to January 14, the first Patch Tuesday of 2020.”


The NSA Reported the Flaw to Microsoft

While it is understood that certain, high-profile and very sensitive or national security agencies deserve a higher degree of protection, it raises further questions about the criticality of the discovered vulnerability. In scheduled call this morning, NSA’s Director of Cybersecurity Anne Neuberger confirmed that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

Brian Krebs reported that “According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it 'makes trust vulnerable.' The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.”

Even before details were publicly disclosed, Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?”

Whatever the severity of a vulnerability, the advice is always the same: keep your systems updated. Especially when dealing with your digital certificates, it is very important to have an automated solution that helps you manage holistically and enterprise wide all your certificates in case of cryptographic incidents such as the one discussed herein. Venafi provides a proven safety net to help minimize outages due to certificates being expired or revoked unexpectedly.

Related posts

Like this blog? We think you will love this.
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more