Software Contract Solutions

Windows Server vulnerability disclosed by NSA; don’t wait to patch

The National Security Agency warns the Windows vulnerability allows attackers to evade protections and deliver executable code while appearing as legitimate entities.

Microsoft’s monthly Patch Tuesday included a hefty haul of fixes: 49 total, and one of them is more than just critical. For enterprises running Windows Server 2016 and Server 2019, it’s vital you implement the patch ASAP.

The National Security Agency (NSA) disclosed the Windows vulnerability on Tuesday, the same day the fix was issued. That means the NSA found the flaw likely months ago but held off on public notification until Microsoft could come up with a fix. It would be irresponsible for the NSA, or anyone else, to announce a vulnerability and not give the software maker time to patch it.

The vulnerability was spotted in “crypt32.dll,” a Windows module that has been in both desktop and server versions since NT 4.0 more than 20 years ago. Microsoft describes the library as handling certificate and cryptographic messaging functions in the CryptoAPI.

The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and that includes the use of digital certificates, which is the main point of trust in Windows. You can lock out apps that are not digitally signed by the developer.

Hackers could take advantage of the flaw to fake digital signatures and issue false certificates for malicious software. So the significance of this flaw is clear: Malicious software could be installed on a computer using the main gatekeeper of Windows security that should be blocking it.

The flaw affects only the Windows 10 codebase, so Windows 10, Windows Server 2016 and Server 2019 are the only systems impacted.

The NSA issued an advisory (PDF) last Tuesday, saying the flaw may have far more wide-ranging security implications, and that the exploitation of the vulnerability “allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory added. “The consequences of not patching the vulnerability are severe and widespread.”

There’s pressure to patch quickly because now that the exploit has been published and a fix is out there to reverse engineer, the bad guys will most certainly exploit it. One of the major problems with serious malware attacks such as WannaCry, NotPetya, and HeartBleed is that the fixes were on the Internet for months but people didn’t upgrade or update their systems and were left vulnerable.

This is the case with every vulnerability. The bad guys always look at the fix to find the vulnerability and make exploits, hoping to take advantage of people who are slow to patch. But this case is particularly serious because malware can be disguised to look like legitimate software to be installed on your system, and the CryptoAPI is none the wiser.

So roll out that patch pronto.

This article originally appeared on NetworkWorld.

Share