Agencies urged to install Patch Tuesday security fixes

Government agencies in Australia and the US have been urged to apply patches to apply the critical security updates released by Microsoft on Tuesday, which includes fixes for major threats such as the recently disclosed certificate spoofing vulnerability in Windows 10.

The vulnerability in the way Windows CryptoAPI validates elliptic curve cryptography (EEC) certificates was discovered by the US National Security Agency, which took the unprecedented step of disclosing it to Microsoft rather than keeping it for its own attack arsenal.

It allows malicious software to appear to be authentically signed by a trusted organisation, and could additionally be exploited to allow man in the middle attacks.

The patch includes fixes for major threats such as the recently disclosed certificate spoofing vulnerability in Windows 10.

The Australian Cyber Security Centre said that it "recommends that users of these products apply patches urgently to prevent malicious actors from using these vulnerabilities to compromise your network".

In the US, the Department of Homeland Security's Cyber Infrastructure and Security Agency (CISA) has instructed federal US government agencies to apply the latest Patch Tuesday security update within 10 business days.

CISA also highlighted the fixes for vulnerabilities in the Windows Remote Desktop Protocol (RDP) client used by all supported versions of Windows, as well as the RDP Gateway Server that allow for remote code execution without requiring authentication or user interaction.

As well as applying patches, CISA has instructed agencies to report on their progress applying the patch by Friday, and to submit a completion report by 29 January.

Agencies have also been told to ensure there are technical and management controls in place to ensure newly provisioned or offline endpoints are patched before being connected or reconnected to agency networks.

Image credit: ©stock.adobe.com/au/metelsky25