 |
| Researchers warn of a critical vulnerability that puts a variety |
Information security researchers have warned that a large number of Windows devices connected to the Internet still suffer from a critical vulnerability that Microsoft will fix in mid-2022.
According to Akamai researchers, vulnerabilities in data centers and Windows devices remain unpatched, exposing users to various malware attacks and even ransomware.
Researchers have published a proof-of-concept (PoC) of the vulnerability and found a high percentage of devices that have not yet been patched.
Researchers explain that the vulnerability, tracked with identifier CVE-2022-34689, mimics Microsoft's Windows CryptoAPI, a service that allows developers to secure Windows applications through encryption.
Hackers can exploit the vulnerability to impersonate another application or operating system and run these applications without warning.
"We found that less than 1% of the visible devices in the data center were patched, leaving the rest unprotected from exploiting this vulnerability," Akamai researchers said.
Speaking to The Register, the researchers confirmed that 99% of devices connected to the Internet are insecure, but that does not necessarily mean that they are vulnerable, as vulnerable applications are still needed for attackers to exploit.
The vulnerability is rated critical as it has a score of 7.5. Microsoft released a patch in October 2022, but few users have applied it till now.
“So far, we have found that older versions (v48 and earlier) of the Chrome browser and applications based on the Chromium project can be exploited. We believe there are many vulnerable targets on the Internet and our research is ongoing.”
In fixing the bug, Microsoft said there was no evidence of the bug being exploited on the Internet. But now that a proof of concept of the vulnerability is available, attackers can start looking for vulnerable devices to target.