Microsoft Patches Critical ‘NSACrypt’ Flaw Reported by NSA

Microsoft Patches Critical ‘NSACrypt’ Flaw Reported by NSA

  • The flaw is believed to affect millions of Windows 10 computers.
  • It resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’.

Software giant Microsoft has released security patches for 49 vulnerabilities as part of the January 2020 Patch Tuesday. Out of these 7 have been rated as ‘Critical’ on CVSS score. By far, one of the most notable vulnerabilities is a flaw that was first reported by the National Security Agency (NSA).

The flaw dubbed as ‘NSACrypt’ or 'Windows CryptoAPI Spoofing’, is believed to affect millions of Windows 10 computers.

More details on ‘NSACrypt’

According to the security advisory published by Microsoft, the flaw resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.

An attacker can exploit the flaw to spoof legitimate software, potentially making it easier to run malicious software on a vulnerable computer.

"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” says Microsoft’s security advisory.

“The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider,” Microsoft adds.

What are the consequences?

After successfully exploiting unpatched systems, attackers can launch man-in-the-middle attacks as well as decrypt confidential info from user connections to the impacted software.

"This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature," CERT/CC vulnerability analyst Will Dormann explains, Bleeping Computer reported.

How the issue has been addressed?

Both NSA and Microsoft say that the vulnerability has not yet been exploited in the wild. However, due to the classification of the vulnerability, Microsoft has issued patches in the latest Patch Tuesday edition. The technical details of the flaw are not yet available to the public.

"This vulnerability is classed Important and we have not seen it used in active attacks. This vulnerability is classed Important and we have not seen it used in active attacks,” Microsoft Security Response Center says in a blog post.

NSA highlights that the consequences of not patching the vulnerability are severe and widespread.