On 14th January , the United State National Security Agency (NSA) announced a bug that could have left over 900 million PCs vulnerable to attack.
Microsoft released a patch for Windows 10 and Server 2016 today after the United State National Security Agency found and disclosed this serious security flaw.
The bug is in Windows’ mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself isn’t trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data.
According to Microsoft:
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
The flaw is specifically in Microsoft’s CryptoAPI service, which helps developers cryptographically “sign” software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users’ devices. An attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices.
The United State NSA advises everyone to update their Windows 10 and Windows Server 2016 right away:
“NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.”
If you haven’t updated your Windows 10 or Windows Server 2016 yet, do it right now!
To update Windows Manually, click the Start button, then go to Settings > Update & Security > Windows Update.
References
