A critical bug in Windows server 2016, 2019 and version 10 was discovered by Microsoft and NSA which can potentially allow hackers to steal trusted certificates of original vendors and spoof the users. While this vulnerability was surfaced recently, Microsoft and others knew it long before and released a security patch now to safeguard users.

An Old Feature Turned Vulnerable

The feature which is exploitable in this issue is the CryptoAPI (or crypt32.dll specifically), a cryptographic component that’s decades-old in Windows and is used by developers to digitally sign their software and authenticate the digital licenses.

NSA and Microsoft Warned Users Of An Old Security Flaw
Image By Flickr

It has many other functions to perform, but this is used as a back door by hackers to exploit and impersonate the original developers at validation checkpoints in installation/scanning apps. They can potentially dump malicious code/app under the shadow of the original license as developers to affect users.

Microsoft said, “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

Further, third party analysis claims this flaw can be used to even intercept and modify the HTTPS protocol to steal the sensitive information transmitting through web browsers. An incident of such happened last year with reference to Asus, where hackers obtained a legitimate certificate of Asus and user for compromising hundreds of thousands of users.

Microsoft has passed security patches to high-profiled companies, military and other US government offices ahead of releasing to the public, where it thought important and may be exploited for attacks.

This core cryptographic component is present in Windows 2016, 2019 and Version 10 only. Others as Windows 8.1 and before lacks this component, thus safe by default. The Windows maker says they’ve found no evidence of the vulnerability being exploited in any manner, till date. And the claim was confirmed by the NSA later. After all, Microsoft has released patches for this flaw anyway and detailed steps to secure it.


Please enter your comment!
Please enter your name here