Microsoft releases patch for Windows crypto vulnerability disclosed by the NSA
Serious Windows security flaw affects the Windows CryptoAPI module, which provides services for encrypting and decrypting data
Microsoft has rushed-out a patch to fix a serious cryptographic vulnerability affecting Windows 10 and Windows Server 2016/2019.
The bug, indexed as CVE-2020-0601, was discovered by the US National Security Agency (NSA), which chose to disclose it to Microsoft instead of weaponising it for intelligence operations - assuming that they haven't already, but no longer have a use for it.
"When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it," Anne Neuberger, chief of the NSA's Cybersecurity Directorate, said in a press call on Tuesday.
According to the NSA, the flaw affects the Windows CryptoAPI, a core module of the Windows operating system, which provides services for encrypting and decrypting data using digital certificates.
Because of this bug, Windows CryptoAPI fails to properly validate digital certificates using elliptic curve cryptography (ECC). This could enable an attacker to carry out remote code execution by creating a certificate in order to disguise malware as a legitimate piece of software. The user would not know that the software was malicious as the digital signature would appear to come from a trusted provider.
Some examples where the vulnerability may affect validation include HTTPS connections, signed emails and files, and signed executable code launched as user-mode processes.
The bug doesn't affect Windows 8.1 or earlier Windows client operating systems, or Server 2012 R2 (and older) as they don't support ECC keys with parameters.
The NSA is advising organisations to apply the latest patches immediately or, at the very least, to prioritise systems that host critical infrastructure like DNS servers, VPN servers, or domain controllers.
The agency added that the vulnerability would soon be understood by hackers of all stripes, and the consequences of not patching would be widespread and severe.
Sophisticated cyber actors will quickly be able to create remote exploitation tools and also make them available for other groups.
Microsoft claimed that it has received no reports so far of any attacker exploiting the vulnerability in the wild. The company marked the bug as "important" and not the "critical" level that is typically used to indicate major security flaws.
The extent of the flaw was first reported on Monday by security journalist Brian Krebs, who warned that it could seriously affect proper authentication on Windows desktops and servers, and the security of data handled by Microsoft's browsers.
Krebs also claimed that the software giant had already provided the patch for the bug to the US military, as well as some other high-value organisations under strict secrecy.