Brian Krebs posted a story last night about an emergency patch Microsoft sent to government agencies, branches of the US military and other organisations responsible for managing internet infrastructure. The vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.
A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.
14th, as part of the first Patch Tuesday of 2020. According to these rumors, the patch is so severe that government agencies and critical internet service providers have received warning ahead of time to install and incorporate these patches. More specifically, the patches are stated to fix an issue with \’crypt32.dll.\’ This \’dll\’ hosts the functionality in Windows that handles cryptography and specifically, handles encryption and signature verification.
Assuming the above rumors are true, what can we learn?
Given the advanced warning to critical agencies and providers, we can easily guess is the issue is very severe. Two classes of issues might cause such a response, it\’s either remotely exploitable or severely violates chains of trust.
1. By remotely exploitable, I refer to the option of using a rogue client or server to use maliciously formed TLS traffic and thus execute code on a victim machine. If this is indeed the case, the issue might be \”wormable\” which means a compromised machine can attack other machines on the internet and trigger the same issue. An example of such an issue is the EternalBlue, SMB attack leaked from NSA in 2017.
2. By violating the chain of trust, I refer to the option where the vulnerability allows faking the signature on a binary. For example, convincing the operating system that a malicious binary is actually a legitimately signed one by a respected vendor. This would allow hackers to fool the update mechanism, potentially including Window\’s own Windows Update to install malicious software assuming it was legitimate.
So what should we do?
1. Given the information at our disposal right now, customers should absolutely make sure they apply this patch quickly. This is true for all \”critical patches\” but is doubly true at this time
2. Go proactively hunting and remember that \”looks can be deceiving\”. As we learn the nature of the exact issue, we might need to update our hunting playbooks to account for the option this gives hackers.