Microsoft has responded to a Windows security bug discovered and reported by the National Security Agency by issuing a patch now available as an “Important” update for affected Windows computers.
Released as part of its monthly Patch Tuesday rollout on Jan. 14, the update addresses a spoofing vulnerability tagged as CVE-2020-0601 found in the way that the Windows CryptoAPI (Crypt32.dll) file validates certain cryptographic security certificates.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
By exploiting this security hole, a hacker could spoof a code-signing certificate to sign a malicious executable file, making it seem as if the file was from a trusted and legitimate source, Microsoft said in its Security Update Guide.
Because the digital signature would seem to come from a trusted provider, an unsuspecting user could activate it, not realizing that the file was actually malicious. In that event, the attacker could conduct man-in-the-middle attacks and decrypt confidential information on infected systems.
The vulnerability affects all versions of Windows 10 as well as Windows Server 2016 and 2019. Those of you running affected operating systems should turn to Windows Update to find and install the security patch, which will be contained in the latest Cumulative Update.
You can also download the patch for your specific version of Windows 10 and Windows Server 2016 or 2019 from Microsoft’s Security Update Guide.
Microsoft said that it had not seen the vulnerability exploited in any active attacks, likely the reason the company classified the security patch as “Important” rather than as “Critical.”
The vulnerability came to light when it was discovered by the National Security Agency. In its advisory, the NSA referred to the bug as severe, saying that sophisticated cyber actors would understand the flaw very quickly, thus making the affected versions of Windows fundamentally vulnerable.
The agency said it recommends that all January 2020 Patch Tuesday patches be installed as soon as possible to fix the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.
“The consequences of not patching the vulnerability are severe and widespread,” the NSA said. “Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”
After finding and researching the flaw, the NSA reported it directly to Microsoft, which then took the quick step of investigating it and issuing the patch. In creating the patch, Microsoft credited the NSA for its help in discovering and reporting the vulnerability, the first time the software giant has credited the agency for such an action.
The NSA is also being lauded for quickly reporting the vulnerability rather than using it for its own purposes to potentially hack into the networks of adversaries, according to The Washington Post.
“This is … a change in approach … by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” Anne Neuberger, director of the NSA’s cybersecurity directorate, told the Post.
Microsoft tries to encourage security researchers and others to report any vulnerabilities in its products via its MSRC Researcher Portal.