NSA & Microsoft Recommend Updating ‘Windows 10’ Via Cybersecurity Guidance Advisory; “Patches Potentially Serious Vulnerability”

If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.

PALM BEACH, FL – On Tuesday, January 14, 2020, the U.S. National Security Agency released a Cybersecurity Advisory urging users of Microsoft’s Windows 10 operating system to patch a potentially serious vulnerability.

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

Microsoft also released details about the vulnerability, which could allow an attacker to use a spoofed code-signing certificate – a sort of digital signature used to validate legitimate apps – to sign malicious software. This would allow the malware to appear to be from a trusted source and could make detection significantly more difficult.

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.


Stay connected with The Published Reporter® - like/follow us: Facebook, Instagram, Twitter - thank you!

This vulnerability affects Windows 10.

  1. If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.
  2. Alternatively, when you are at your Windows 10 computer, click the Start button, select Settings, then Update & Security, then Windows Update, and click Check for updates to run Windows Update manually.
  3. If you have multiple PCs running Windows 10, ensure they are all up-to-date with the latest security patches.
  4. DO NOT attempt to download a patch for this vulnerability from anywhere other than the Windows Update tool. Windows system updates should only be downloaded directly from Microsoft.
  5. If you would like to read more about the unprecedented nature of the partnership between the NSA and Microsoft relating to this patch, click here (Washington Post) or here (Business Insider).
Comment via Facebook


Disclaimer: News articles on this site contain opinions of the author, and if opinion, may not necessarily reflect the views of the site itself or the views of the owners of The Published Reporter®. Any charges are accusations and defendants are presumed innocent until proven guilty in a court of law. For more information on our editorial policies please view our editorial policies and fact checking policies, in addition to our terms of service.