In the changelog of the newest Cumulative Update released for various Windows 10 versions, we can read about a major vulnerability in the Windows CryptoAPI (Crypt32.dll) that just got patched. If exploited, the vulnerability opened up for spoofing certificates, which would make malicious files appear as if they came from legitimate sources.
The vulnerability affects all Windows 10 versions back to at least 1607, and by that, Windows Server 2019 and 2016 are also affected. We urge everyone to update servers and clients ASAP to avoid getting exploited.
How to remediate?
Simple, install the latest Cumulative Update for whatever Windows-based operating system you might run on clients or servers, then perform a reboot. Make sure you have the following build numbers, and you should be all good (check by opening CMD and type "winver"):
- Windows 10 1909: 18363.592
- Windows 10 1903: 18363.592
- Windows 10 1809 and Windows Server 2019: 17763.973
- Windows 10 1607 and Windows Server 2016: 14393.3443
What can Ironstone do?
At Ironstone, we have managed services in place to make sure both clients and servers handled by us get critical fixes such as this as soon as possible.
For clients, we use Intune MDM with Windows Update for Business, where we can configure everything from what Windows 10 version to run, how many days to defer updates, how updates get delivered, and more. For edge cases like this, we can push security updates at the very minute they get released from Microsoft. It's available as a part of our managed client service, Best Place to Work.
For servers, we utilize Azure Update Management to ensure servers get patched in a timely manner. We can also make sure that servers get patched within specified time frames, and only then.
Patching should not be a manual task in 2020. Automating this process is not only convenient but also more secure. I'm a great believer of automation!
End of life for older OS-es
It's an excellent time to yet again inform our readers that multiple Windows OS-es has reached End of Life, as the Extended Support End Date was 14th January 2020. The last ever public available update released for Windows 7, Server 2008, and Server 2008 R2.
It means that if major vulnerabilities such as the one mentioned in this blog post were to appear for named OS-es in the future, you would not get any more patches from Microsoft unless you pay handsomely for it.
Are you still running applications that require a Windows 7 operating system? Read more about Windows Virtual Desktop and discover its potential and benefits.
If you're still on aging software and need help to get up to speed, we're happy to help. While we're talking about lifecycles and end of life, here is a useful search tool from Microsoft where you can check all Microsoft software for End Of Life dates.
Windows 10 1909 Update History: https://support.microsoft.com/en-us/help/4529964
Windows 10 1903 & Update History: https://support.microsoft.com/en-us/help/4498140
Windows 10 1809 & Windows Server 2019 Update History: https://support.microsoft.com/en-us/help/4464619
Windows 10 1607 & Windows Server 2016 Update History: https://support.microsoft.com/en-us/help/4534271
Search Product Life Cycle: https://support.microsoft.com/en-us/lifecycle/search
Windows 10 Cumulative Updates KB4528760 & KB4534273 Released: https://www.bleepingcomputer.com/news/microsoft/windows-10-cumulative-updates-kb4528760-and-kb4534273-released/
Microsoft's January 2020 Patch Tuesday Fixes 49 Vulnerabilities: https://www.bleepingcomputer.com/news/microsoft/microsofts-january-2020-patch-tuesday-fixes-49-vulnerabilities/
Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA: https://www.bleepingcomputer.com/news/security/microsoft-fixes-windows-cryptoapi-spoofing-flaw-reported-by-nsa/