By Karen D. Schwartz

From IT Pro Today

If there’s anything IT professionals have learned over and over again, it’s to apply all security patches as soon as they become available.

That lesson was reinforced in a big way earlier this week when researchers at the National Security Agency discovered a way to exploit a Microsoft Windows vulnerability. More specifically, the Windows CryptoAPI, which is used to process digital certificates that attest to the validity of software via code signing, was found to have a vulnerability that could allow an attacker to craft a certificate that appears to be able to be traced to a trusted root certificate authority.

By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions such as interception and modification of TLS-encrypted communications or spoofing an Authenticode signature. The vulnerability also could leave organizations exposed to possible spoofing of websites as well as software.

What makes the Windows vulnerability notable is the potential to exploit a foundational security technology that Microsoft Windows employs to determine whether an application is trustworthy, said ESG senior analyst Doug Cahill.

ESG’s Doug Cahill

“By gaming the digital cert verification via an API, cyber-adversaries can introduce malware that is then considered legitimate and trusted,” he said.

Microsoft Quickly Patches Flaw

Once Microsoft was alerted to the Windows vulnerability, it immediately issued a patch. While most companies have undoubtedly applied it, others may be behind the curve.

That’s a bad idea, said Scott Crawford, a research vice president at 451 Research; failure to patch vulnerable systems means a system may not be able to determine when an attacker has tried to use an invalid certificate to fraudulently “prove” the legitimacy of software in order to spoof legitimate software. This type of vulnerability can be used to get malicious software onto target machines or displace legitimate functionality with malicious software capability, he said.

While it might seem odd that a major vendor like Microsoft could miss something like this, it’s not all that uncommon.

451 Research’s Scott Crawford

“Cryptography can be very complex to implement and thus presents opportunities for attackers,” Crawford said. “This is one reason why pros will encourage developers not to develop their own cryptography functions, since specialists will focus on these issues and help assure their security when problems are discovered. So in this case, it’s actually good that a company like Microsoft is involved, since it has the resources to respond quickly and effectively.”

In addition to applying the patch immediately if they haven’t done so already, companies should maintain good software update practices, Crawford said.

It’s also a good idea to use endpoint security software designed to detect advanced malware with a combination of pre-execution and runtime detection techniques, Cahill added.

Ambuj Kumar, CEO of security vendor Fortanix, warns that vulnerabilities in cryptographic APIs may continue to arise. To protect themselves, businesses should always maintain best practices in security, including rotating certificates frequently and building defense in depth and layers of security, he said.