Sunday , January 26 2020
Home / Operating Systems / Microsoft, NSA confirm killer Windows 10 bug, but a patch is available

Use Windows Update and patch your PC now.

Microsoft, NSA confirm killer Windows 10 bug, but a patch is available

By

Senior Editor,

PCWorld |

As expected, Microsoft did reveal a fundamental flaw in Windows that affected Windows 10’s cryptographic library. January’s Patch Tuesday updates issued today, however, fix the issue, which is specific to Windows 10 and Windows Server. 

The flaw, CVE-2020-0601, was found in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. (Contrary to earlier rumors, it does not affect Windows 7, which coincidentally is being shut down Tuesday as well.) Fortunately, Microsoft reported that the library was not in active use, though that doesn’t prevent an attacker from weaponizing it now that it’s been disclosed.

Specifically, the attack could allow malware to hide behind a spoofed cyrptographic signature. Antivirus software could therefore identify malware as legitimate applications, or fake banking sites could use the vulnerability to trick a user’s PC into thinking it was legitimate.

Microsoft did not cite the source that reported the vulnerability. The Washington Post had reported that the National Security Agency (NSA) had developed the exploit, then turned it over to Microsoft. The NSA itself took credit for the discovery in a security advisory released Tuesday. 

Specifically, CVE-2020-0601 will affect Windows 10, according to Microsoft. The NSA believes it will affect Windows Server 2016/2019 as well.

“Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities,” the NSA said. “Examples where validation of trust may be impacted include:  HTTPS connections, signed files and emails, [and] signed executable code launched as user-mode processes.”

The NSA advised basically everyone to apply the Patch Tuesday patches as quickly as possible to avoid risking their PCs. “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA wrote. “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.”

Users should ensure that their Windows 10 PCs are up to date, and make sure that they enable Windows Update to send down the patch when it’s ready. More details of the January 2020 Windows security updates are available here

This story, “Microsoft, NSA confirm killer Windows 10 bug, but a patch is available” was originally published by

PCWorld.

As PCWorld’s senior editor, Mark focuses on Microsoft news and chip technology, among other beats.

Copyright © 2020 IDG Communications, Inc.

This Article was first published on itnews.com

About IT News Ug

Check Also

Android Studio for beginners, Part 2: Explore and code the app

Write your first animated Android app with Android Studio's Project editor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

//serconmp.com/afu.php?zoneid=2572107