Microsoft on Tuesday rolled out an important security fix after the U.S. National Security Agency tipped off the company to a serious flaw in its widely used Windows operating system.
The patches address the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10, Windows Seerver 2016 and Server 2019 systems. The vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability is classed "Important" and Microsoft says it has not seen it used in active attacks.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
NSA official Anne Neuberger noted that operators of classified networks had already been prodded to install the update and everyone else should now “expedite the implementation of the patch.”
NSA had been criticized after its own cyberspies took advantage of vulnerabilities in Microsoft products to deploy hacking tools against adversaries and kept Microsoft in the dark about it for years.
When one such tool was leaked to the internet by a group, it was deployed against targets around the globe by hackers of all stripes. A group used the tool to unleash a massive malware outbreak dubbed WannaCry in 2017.