SecurityTechnologyWorld

NSA & Microsoft Recommend Updating ‘Windows 10’ Via Cybersecurity Guidance Advisory; “Patches Potentially Serious Vulnerability”

By John Colascione Share with new partner:   Share
1,981
If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.

PALM BEACH, FL – On Tuesday, January 14, 2020, the U.S. National Security Agency released a Cybersecurity Advisory urging users of Microsoft’s Windows 10 operating system to patch a potentially serious vulnerability.

NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.

Microsoft also released details about the vulnerability, which could allow an attacker to use a spoofed code-signing certificate – a sort of digital signature used to validate legitimate apps – to sign malicious software. This would allow the malware to appear to be from a trusted source and could make detection significantly more difficult.

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

This vulnerability affects Windows 10.

  1. If you have Windows 10, and do not utilize Automatic Updates and/or want to run your Windows Update manually to get the patch quickly, follow these instructions from Microsoft and click the “Check for Windows updates” button.
  2. Alternatively, when you are at your Windows 10 computer, click the Start button, select Settings, then Update & Security, then Windows Update, and click Check for updates to run Windows Update manually.
  3. If you have multiple PCs running Windows 10, ensure they are all up-to-date with the latest security patches.
  4. DO NOT attempt to download a patch for this vulnerability from anywhere other than the Windows Update tool. Windows system updates should only be downloaded directly from Microsoft.
  5. If you would like to read more about the unprecedented nature of the partnership between the NSA and Microsoft relating to this patch, click here (Washington Post) or here (Business Insider).
John Colascione

John Colascione is the Chief Executive Officer of SEARCHEN NETWORKS®, a group of digital media companies based in West Palm Beach, FL. He specializes in Website Monetization, is a Google AdWords Certified Professional and authored an educational ‘how to’ book called ”Mastering Your Website. He writes primarily on Internet businesses and related issues while covering other items of interest including breaking news and politics if and when time allows.

You Can Flip My Stories On The Flipboard Digital Magazine

Disclaimer (varies based on content, section, category, etc.): News articles on this site may contain opinions of the author, and if opinion, may not necessarily reflect the views of the site itself nor the views of the owners of The Published Reporter. For more information on our editorial policies please view our editorial policies and guidelines section in addition to our fact checking policy and most importantly, our terms of service. All links on this site could lead to commissions paid to the publisher. Please see Advertising Disclosure in sidebar.
Subscribe to John Colascione (via RSS) RSS ICON or a specific category with our Feedburner Feeds. Feedburner
Comment via Facebook

Corrections: If you are aware of an inaccuracy or would like to report a correction, we would like to know about it. Please consider sending an email to [email protected] and cite any sources if available. Thank you. (Policy)

You might also like More from author

Comments are closed.