Microsoft, NSA confirm killer Windows 10 bug, but a patch is available

Use Windows Update and patch your PC now

Credit: Dreamstime

As expected, Microsoft did reveal a fundamental flaw in Windows that affected Windows 10’s cryptographic library.

January’s Patch Tuesday updates issued today, however, fix the issue, which is specific to Windows 10 and Windows Server.

The flaw, CVE-2020-0601, was found in the user-mode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. Contrary to earlier rumours, it does not affect Windows 7, which coincidentally is being shut down Tuesday as well.

Fortunately, Microsoft reported that the library was not in active use, though that doesn’t prevent an attacker from weaponising it now that it’s been disclosed.

Specifically, the attack could allow malware to hide behind a spoofed cyrptographic signature. Antivirus software could therefore identify malware as legitimate applications, or fake banking sites could use the vulnerability to trick a user’s PC into thinking it was legitimate.

Microsoft did not cite the source that reported the vulnerability. The Washington Post had reported that the National Security Agency (NSA) had developed the exploit, then turned it over to Microsoft. The NSA itself took credit for the discovery in a security advisory released Tuesday.

Specifically, CVE-2020-0601 will affect Windows 10, according to Microsoft. The NSA believes it will affect Windows Server 2016/2019 as well.

“Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities,” the NSA said. “Examples where validation of trust may be impacted include: HTTPS connections, signed files and emails, [and] signed executable code launched as user-mode processes.”

The NSA advised basically everyone to apply the Patch Tuesday patches as quickly as possible to avoid risking their PCs.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA wrote.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.”

Users should ensure that their Windows 10 PCs are up to date, and make sure that they enable Windows Update to send down the patch when it’s ready. More details of the January 2020 Windows security updates are available here

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftWindows 10

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Brand Post

Imou: At home with security

Modern living is all about functionality and security for everybody from the very young to the very old. With Imou anybody can enjoy smart life – the solution is at their fingertips.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?