Microsoft has released a security patch for a serious security flaw affecting Windows 10 operating system. The vulnerability was found in CryptoAPI, which is around two decades old Windows cryptographic component that validates ECC certificates. The exploit could potentially allow hackers to spoof digital signature on a malicious file to run it on a vulnerable computer. The CryptoAPI spoofing vulnerability was reported to Microsoft by the US National Security Agency, following which a fix was rolled out. Here’s everything to know:
Microsoft bug: What is it and which OS version does it affect?
The vulnerability has been found in Windows CryptoAPI that allows developers to sign digital certificates for their software using cryptography. The bug affects Windows 10 millions of systems. If exploited, the flaw could have potentially serious consequences for Windows systems.
Microsoft bug: Has security fix been released?
Yes, Microsoft has released its January security update that includes a fix to the vulnerability CVE-2020-0601 affecting Windows 10 systems. “The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates,” Microsoft said in its security advisory. Microsoft has urged Windows users to install the update as soon as possible as there are no workarounds for the vulnerability.
Microsoft bug: How can it be exploited?
Microsoft Windows CryptoAPI vulnerability can be exploited by hackers to sign a malicious file by using a spoofed code-signing certificate. In this case, a user will have no way of knowing whether the file was malicious as it would appear to have come from a trusted, legitimate source.
Microsoft bug: Has it been exploited?
No. Microsoft has confirmed that the company has not seen the vulnerability used in active attacks so far. “The NSA and Microsoft said they had not seen any evidence that the flaw had previously been abused,” Reuters reported. However, successful exploitation of the vulnerability can “allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft noted.