PALM BEACH, FL – On Tuesday, January 14, 2020, the U.S. National Security Agency released a Cybersecurity Advisory urging users of Microsoft’s Windows 10 operating system to patch a potentially serious vulnerability.
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.
Microsoft also released details about the vulnerability, which could allow an attacker to use a spoofed code-signing certificate – a sort of digital signature used to validate legitimate apps – to sign malicious software. This would allow the malware to appear to be from a trusted source and could make detection significantly more difficult.
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
FREE DIGITAL SUBSCRIPTION: GET ONLY 'FEATURED' STORIES BY EMAIL
Big Tech is using a content filtering system for online censorship. Watch our short video about NewsGuard to learn how they control the narrative for the Lamestream Media and help keep you in the dark. NewsGuard works with Big-Tech to make it harder for you to find certain content they feel is 'missing context' or stories their editors deem "not in your best interest" - regardless of whether they are true and/or factually accurate. They also work with payment processors and ad-networks to cut off revenue streams to publications they rate poorly by their same bias standards. This should be criminal in America. You can bypass this third-world nonsense by signing up for featured stories by email and get the good stuff delivered right to your inbox.
This vulnerability affects Windows 10.
- If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.
- Alternatively, when you are at your Windows 10 computer, click the Start button, select Settings, then Update & Security, then Windows Update, and click Check for updates to run Windows Update manually.
- If you have multiple PCs running Windows 10, ensure they are all up-to-date with the latest security patches.
- DO NOT attempt to download a patch for this vulnerability from anywhere other than the Windows Update tool. Windows system updates should only be downloaded directly from Microsoft.
- If you would like to read more about the unprecedented nature of the partnership between the NSA and Microsoft relating to this patch, click here (Washington Post) or here (Business Insider).