When the technical director of the U.S. National Security Agency (NSA) Cybersecurity Directorate, and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), both urge Windows 10 users to take action and update as soon as possible, you might suspect that something serious has happened. And it has happened.
The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe
Microsoft has published its January security advisories warning billions of users of 49 new vulnerabilities in its various products.
The latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions.
What’s more interesting is that this is the first security flaw in Windows OS that the NSA reported responsibly to Microsoft, unlike the Eternalblue SMB flaw that the agency kept secret for at least five years and then was leaked to the public by a mysterious group, which caused WannaCry menace in 2017.
It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.
According to an advisory released by Microsoft, the flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for handling encryption and decryption of data.
Exploitation of the vulnerability allows attackers to abuse validation of trust between:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
Besides this, the flaw in CryptoAPI could also make it easy for remote man-in-the-middle attackers to impersonate websites or decrypt confidential information on user connections to the affected software.