Microsoft has pushed out its latest security updates that include patches for severe vulnerabilities affecting Windows 10 and Windows Server 2016/2019.
US security agencies published announcements encouraging system administrators to ensure updates are applied.
Among the general security update were four severe vulnerabilities. Two of these vulnerabilities affect Windows Remote Desktop Gateway, leaving systems exposed for attackers to send “specially crafted requests” at a level prior to user-authentication.
A Windows Remote Desktop Client vulnerability was also patched which allowed attackers to “execute arbitrary code on the computer of the connecting client”. Attacks on Windows systems using this vector require the user to connect to malicious servers – possibly through a man-in-the-middle attack or DNS poisoning.
Such a man-in-the-middle attack could be made by exploiting the now- patched CryptoAPI spoofing vulnerability.
Affecting Crypt32.dll, this vulnerability is in the way Windows validates Elliptic Curve Cryptography (ECC) certificates.
Signed files, emails, executable code, and HTTPS connections could be impacted by the exploit that was discovered and disclosed by the US National Security Agency (NSA).
In a statement telling Windows to run their security updates, the NSA recommended that system administrators “prioritise endpoints that provide essential or broadly relied-upon services” such as those that perform TLS validation, host critical infrastructure, are directly exposed to the internet, and endpoints used by privileged users.
To detect or prevent exploits, the NSA suggests extracting network data certificates using tools like Wireshark for analysis with utilities like OpenSSL or Windows Certutil.
“The consequences of not patching the vulnerability are severe and widespread,” the NSA warned.
“Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
Microsoft has not yet detected any exploitations using these vulnerabilities, but warns that exploitation is “likely”.
And the US Cyber and Infrastructure Security Agency said the publicly released patches mean “the underlying vulnerabilities can be reverse-engineered to create exploits that target unpatched systems”.
The updates became available on the day Microsoft officially stopped supporting Windows 7.