Google released a new version of its Chrome browser 79.0.3945.130, in which Chrome received protection from attacks with exploitation of a recently fixed vulnerability in the crypt32.dll Windows library.
The talk is about vulnerability CVE-2020-0601 in the cryptographic library crypt32.dll, about which Microsoft informed experts from the US National Security Agency.With its help, an attacker can create a TLS certificate or digital signature for a code and spoof any website on the Internet. The manufacturer fixed the problem with the release of January security updates.
The day after the patch was released, was presented a PoC attack with exploitation of the vulnerability.
To the new version of Chrome has been added a code that allows the browser more deeply examine the integrity of the site’s digital certificate before allowing the user to access it”, – reported in Google.
According to code developer and Google specialist Ryan Sleevi, the new additional certificate verification function is not perfect, but is a good temporary solution while users install updates on their Windows devices and while Google is working on more advanced verification technologies.
A new feature is not perfect, but it is quite enough for security verification until we switch to our verification tool or tighten the blocking of 3P modules, even for CAPI”, — said Sleevi.
At the same time, users complain about problems installing the patch for this sensational vulnerability.
On January 14 this year, as part of the “Tuesday of corrections”, Microsoft released a patch for an extremely dangerous vulnerability in the cryptographic library crypt32.dll, which allows spoofing of any site on the Internet. However, installation of the cumulative update of KB4528760 was problematic for some users.
After the patch was released on the Reddit forum, started coming messages on difficulties with installing it. In particular, the problem affected users of the Windows 10 May 2019 Update and Windows 10 November 2019 Update.
I can’t upgrade as arrives the error “Unable to complete the installation process because the update service is being closed”, – said one of the Reddit users.
Microsoft has not yet confirmed existence of the problem, so there is currently no official solution to it.