Microsoft Issues Patch for Critical CryptoAPI Security Vulnerability

On January 14, Microsoft® issued a security update for Windows® operating systems. This update fixes a vulnerability identified by the U.S. National Security Agency (NSA) in the Windows CryptoAPI component (Crypt32.dll). The vulnerability could allow attackers to spoof code-signing certification and make malicious content appear to be from a legitimate source. 

While delivered as part of the “Patch Tuesday” program in which software updates are typically released on the second Tuesday of the month, this patch has particular urgency. Both CERT Coordination Center researcher Will Dormann and cybersecurity expert Brian Krebs have emphasized the urgency for installing this patch.

The CrytoAPI provides the means to use cryptography for securing Windows applications, including the ability to encrypt or decrypt data with digital certificates. That component has been a part of Windows operating systems for over 20 years, since the release of Windows NT® 4.0. 

The vulnerability may enable attackers to spoof authentication on Windows desktops, servers, browsers, and many third-party applications. It could also allow attackers to fake digital signatures, thus making their malware appear legitimate. As such, bad actors could gain access to confidential information, or use their software to gain entry into systems for malicious purposes.

As reported by Krebs on Security, the flaw was discovered by NSA Director of Cybersecurity Anne Neuberger and conveyed to Microsoft. Microsoft has indicated that there are no reported exploitations of this vulnerability to this point. 

ACA Guidance

ACA Aponix recommends taking the following actions regarding the Microsoft patch update:

• Immediately apply the Microsoft patches to all systems across the organization.

• Encourage the use of automatic Windows Updates for staff end-user devices.

• Monitor system logs and other security resources for unusual activity.

• Ensure that data backup and related resiliency plans are up-to-date and functional.

• Review and update existing incident response plans to prepare reaction in the event of a breach.

• Strongly encourage third-party vendors to apply this and other patch updates, as part of a larger vendor oversight program. 

How We Help

ACA Aponix offers the following solutions that can help your firm in light of the discovered vulnerability, software patching programming, and with data security in general.

• Phishing testing and cyber awareness
• Cyberincident response planning
• Cybersecurity and technology risk assessments
• Penetration testing and vulnerability assessments
• Vendor Diligence and Management
• Policies, procedures, and governance
• Threat intelligence

Contact Us

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.