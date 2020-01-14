Microsoft has released a security update today to address “a broad cryptographic vulnerability” related to the Windows operating system.

The bug has been discovered and reported by the US National Security Agency (NSA), said NSA director of Cyber ​​Security Anne Neuberger today in a press release.

The CVE-2020-0601 bug

The vulnerability, maintained as CVE-2020-0601, affects the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.

According to a security release published today, “there is a spoofing vulnerability in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.”

Microsoft says an attacker could exploit this bug “to sign a malicious executable file, making it look like the file came from a trusted, legitimate source.”

But in addition to fake file signatures, the bug can also be used to fake digital certificates used for encrypted communication.

“A successful exploit can also allow the attacker to perform man-in-the-middle attacks and to decrypt confidential information about user connections to the affected software,” Microsoft said.

According to Microsoft, this vulnerability affects Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

Microsoft and the NSA have not seen any active attacks that exploit this bug before today’s patch.

The first credit from NSA

The bug is considered as bad as it is. Neuberger said the agency has taken an unprecedented step by reporting the bug, instead of hoarding the vulnerability and using it for its offensive tools and operations.

The CVE-2020-0601 vulnerability is the first time that Microsoft has credited the NSA for reporting a bug. Other cyber security authorities have previously reported major vulnerabilities to Microsoft. For example, the UK National Cyber ​​Security Center already reported the now infamous BlueKeep bug to Microsoft in May 2019.

Neuberger said that the NSA reporting this bug is a change in the overall approach of the cyber security agency, and that other bug reports will follow.

In addition to reporting the bug to Microsoft, the agency also sent a notification to critical infrastructure managers prior to today’s official patches to let them know that an important solution was coming.

The agency issued its own security advice later in the day, with information on limitation and exploitation detection, and also encouraged IT staff to speed up the installation of today’s security updates on Patch Tuesday.

The Cybersecurity & Infrastructure Security Agency (DHS CISA) of the Department of Homeland Security is also publishing today an emergency directive to alert US private sector and government agencies of the need to install the latest Windows OS fixes.

“Given the information we now have, it is imperative that customers ensure that they apply this patch quickly. This applies to all” critical patches, “but is currently doubly true,” said Yonatan Striem-Amit, CTO and co-founder of Cybereason. ZDNet earlier today.