Following Adobe’s issue of its first patch for 2020 today, Microsoft has now also published its January security advisories cautioning an amazingly large number of users of 49 new susceptibilities in its several products.
What’s so distinct about the newest Patch is that one of the updates corrects a grave fault in the essential cryptographic module of extensively used Windows 10, Server 2016 and 2019 editions that was revealed and reported to the company by the National Security Agency (NSA) of the United States.
What’s more exciting is that this is the first security fault in Windows OS that the NSA stated reliably to Microsoft, unlike the Eternalblue SMB fault that the agency kept undisclosed for at least five years and then was leaked to the public by a shadowy group, which triggered WannaCry threat in 2017.
As per a Microsoft advisory, the flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for dealing with encryption and decryption of data.
The issue exists in the way Crypt32.dll module authenticates Elliptic Curve Cryptography (ECC) credentials that is presently the industry normal for public-key cryptography and used in most of SSL/TLS certificates.
In a press release, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”
Though technical information of the fault is not yet available to the public, Microsoft confirms the defect, which if taken advantage of successfully, could allow hackers to spoof digital signatures on software.
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” the Microsoft advisory says.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.”