Critical Windows patch for cryptography library issued

Yesterday, Microsoft released a patch which fixes a critical spoofing vulnerability that exists in the Windows CryptoAPI library, CRYPT32.DLL. This flaw can facilitate remote code execution, man-in-the-middle, and other attacks through a wide variety of delivery methods, including browsers and emails. Encryption is not an effective defense in this case. Detection of an attack using this method is unlikely because the flaw allows forged traffic to appear to be legitimate. The official guidance is that the issue exists in all Windows 10 versions and all versions of Windows Server 2016 and Windows Server 2019; other sources have reported that all versions of Windows may be affected.

Full details of the vulnerability can be found on Microsoft’s Security Response Center website and an NSA briefing paper.

This has been reported in detail elsewhere, but it bears repeating: this is a vulnerability which is highly likely to be exploited sooner than later. Don’t wait.


More Posts

Facebook Owes You Money!

Facebook is being forced to pay a whopping $725 million in a settlement following a number of lawsuits claiming they violated users’ privacy and shared their data without their knowledge or consent. See the details and how you can claim your money.

The Biggest Risk to Your Security

Despite the overwhelming evidence that the risk and the financial consequences of cyber-attacks are enormous, we still hear, “Nobody is going to hack us…we don’t have anything they want,” or “We can’t get hacked because _____,” with the blank being things like “we use cloud applications” or “we have a good firewall,” “our people are too smart to click on bad links in e-mails,” or other similar “reasons” for their false sense of security. They explain it away.

Send Us A Message

Schedule for High Priority Assistance