The NSA’s director of cyber security, Anne Neuberger, has confirmed a flaw exists in Windows 10 that “makes trust vulnerable” and was reported to Microsoft by the NSA itself.

An investigative reporter Brian Krebs said that his sources told him, “Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.”

Moving past the speculations, Microsoft has officially confirmed the vulnerability. It stated that “A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” This means that an attacker could be able to exploit this, in a way that the NSA said “makes trust vulnerable,” by using a spoofed code-signing certificate. By so doing, a malicious file could appear to come from a legitimate and trusted source.

“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft said, adding that “the security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.”

What to do then?

All Windows 10 users are advised to apply the Patch Tuesday update as soon as it becomes available to them. However, as of this writing  the emergency update only applies to Windows 10, Server 2016, and Server 2019.

The post Update All Windows Systems Now! CVE-2020-0601 appeared first on Kontech IT Services.