This week, Microsoft released a security update to fix “a broad cryptographic vulnerability” discovered within its Windows operating system. The bug was first identified and reported by the US National Security Agency (NSA), and should be patched immediately.
A vulnerability identified within certain Microsoft’s Windows Operating Systems is a known issue, and recommendation is to patch any computers with Windows as soon as possible.
According to Microsoft, an attacker could exploit this bug “to sign a malicious executable, making it appear the file was from a trusted, legitimate source.”
The bug could also be used to fake digital certificates used for encrypted communications.
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft said.
This vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.
What you should do:
Consider enabling auto-updates on your computer systems and keep them as up to date as possible. This patch should be treated with urgency and applied as soon as possible.
Details:
The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.
According to a security advisory published on Tuesday, “a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.”