As reported earlier in the day, the National Security Agency had disclosed a security vulnerability to Microsoft, which the company has fixed with the release of today's Patch Tuesday updates. Unlike the reports that we saw, Microsoft hasn't shared if the issue also affects older desktop operating systems like Windows XP and Windows 7. Currently the bug fixes are only live for Windows 10, Windows Server 2016, and Windows Server 2019.
What is this latest Windows 10 security bug?
In its security advisory, Microsoft detailed that "a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates." Tracked as CVE-2020-0601, an attacker could exploit this Windows CryptoAPI Spoofing Vulnerability to use a "spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source."
The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
Microsoft added that "the security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates."
The company categorized the bug as "important," and not "critical" as rumors had hinted. You can download the latest patches to fix the issue.
January 2020 Patch Tuesday updates live for almost all versions
2020 Patch Tuesday updates are live for Windows 10 version 1909 and 1903 (KB4528760 - Builds 18362.592 and 18363.592), version 1809 (KB4534273 - Build 17763.973), version 1803 (KB4534293 - Build 17134.1246), Fall Creators Update (KB4534276 - Build 16299.1625), Creators Update (KB4534296 - Build 15063.2254), Anniversary Update (KB4534271 - Build 14393.3443), and the original Windows 10 (KB4534306 - Build 10240.18453).
Here's the changelog:
- Security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cryptography, Windows Storage and Filesystems, the Microsoft Scripting Engine, and Windows Server.
As a reminder, Windows 7 expires tonight with Microsoft expected to send the last batch of updates later today. Users are highly recommend to migrate to Windows 10 to avoid security risks.
