There is not a minute to waste to install the latest Windows update. The January Patch Tuesday fixes the vulnerability CVE-2020-0601, discovered by the NSA, the American intelligence agency. Affecting Windows 10 as well as Windows Server 2016 and 2019, this flaw is described as very serious by Microsoft and the community of cybersecurity researchers.
On its blog Naked Security, the company Sophos explains that the vulnerability affects the CryptoAPI, partially implemented in a Windows file named crypt32.dll. This module allows Windows programmers to add encryption functionality to their software. One of the functions of CryptoAPI is to verify and validate digital certificates, ensuring that online services or files to be downloaded come from a legitimate source. An attacker could exploit the vulnerability to sign a malicious executable file, by pretending that the file comes from a reliable and legitimate source, Microsoft explains. A successful exploit could also allow the attacker to carry out man-in-the-middle attacks and to decrypt confidential information on user connections to the software concerned. Microsoft says it has not identified an exploitation of this CVE-2020-0601 vulnerability in active attacks.
This is the first time that the NSA has publicly admitted having informed Microsoft about a security breach. “The NSA helped solve the problem by finding and characterizing the vulnerability, and then communicating with Microsoft quickly and responsibly,” the agency said in a statement. When questioned by journalist Brian Krebs, who specializes in cybersecurity, the NSA declined to say when it discovered the flaw. The intelligence agency is known to keep this kind of discovery for themselves. “Not long ago, the NSA would have simply used this exploit for its own attacking goals,” said MIT Technology Review, who said the agency had changed its strategy in the past decade, however.
–
