Microsoft used its first Patch Tuesday update of the new decade to address a critical vulnerability in its CryptoAPI library.

A default feature within Windows that’s also known as Crypt32.dll, the CryptoAPI patch addresses a bug that could allow rogue actors to fake signatures on encrypted HTTPS communications and launch man-in-the-middle (MitM) attacks. By spoofing Elliptic Curve Cryptography (ECC) certificates, hackers could also make malicious files appear like they were coming from a legitimate source.

The U.S. National Security Agency (NSA) first discovered and informed Microsoft about the vulnerability, the company said.

‘Severe And Widespread’ Risks

Though neither organization has reported any cyberattacks that make use of the bug, CVE-2020-0601, it affects several Windows operating systems. These include Windows 10, Windows Server 2016 and Windows Server 2019.

In its advisory, the NSA said the CryptoAPI vulnerability could lead to remote code execution and the ability to defeat trusted network connections. It also predicted cybercriminals would quickly recognize the opportunity in front of them.

“Remote exploitation tools will likely be made quickly and widely available,” it said, adding that the consequences of not patching CVE-2020-0601 could be “severe and widespread.”

In an interview with security researcher Brian Krebs, Matthew Green, a computer science professor from Johns Hopkins University, said cybercriminals could be creative in their use of the Crypt32 flaw. Users might be fooled into downloading malware disguised as software updates, for instance, or clicking on a website that appears trustworthy.

Besides the CryptoAPI/Crypt32 vulnerability, Microsoft’s Patch Tuesday update dealt with 49 other security gaps in Windows and related applications. It was also a significant milestone in that the update officially ended mainstream support for Windows 7.

Apply Patches to Maintain a Solid Security Posture

While the NSA’s advisory will probably lead organizations to prioritize the CryptoAPI patch, the IT security best practice approach is to patch early, often and extensively. In other words, all the necessary patches should be applied.

Security experts have noted that issues like technical debt and “patch fatigue” can sometimes prevent this from happening. Overcome that by making sure your patch management tools are up to date and by conducting a vulnerability assessment to make sure nothing is overlooked.

More from

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…