There appears to be a high-priority patch Tuesday alert today! According to numerous media posts, there is a vulnerability that is present on all versions of Windows from XP and newer. Rumor has it, it is so serious that the U.S. Military apparently received their patches ahead of time under NDAs.
The NSA’s director of cyber security, Anne Neuberger, has confirmed a flaw exists in Windows 10 that “makes trust vulnerable” and was reported to Microsoft by the NSA itself.
An investigative reporter Brian Krebs said that his sources told him, “Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.”
Moving past the speculations, Microsoft has officially confirmed the vulnerability. It stated that “A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” This means that an attacker could be able to exploit this, in a way that the NSA said “makes trust vulnerable,” by using a spoofed code-signing certificate. By so doing, a malicious file could appear to come from a legitimate and trusted source.
“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” Microsoft said, adding that “the security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.”
What to do then?
All Windows 10 users are advised to apply the Patch Tuesday update as soon as it becomes available to them. However, as of this writing the emergency update only applies to Windows 10, Server 2016, and Server 2019.