A new Microsoft critical vulnerability that affects the Windows CryptoAPI has been discovered. The bug impacts millions of Windows 10 devices. Here’s what it is.
Microsoft vulnerability
The new Microsoft flaw was discovered by the NSA or National Security Agency. The spoofing vulnerability is present in the Windows CryptoAPI (Crypt32.dll) to check the Elliptic Curve Cryptography (ECC) certificates.
For those who don’t know, ECC is a digital certificate that provides an extra level of privacy and security to a user’s personal data.
Since the flaw affects the CryptoAPI, it can allow hackers to use a spoofed code-signing certificate to sign a malign executable file, which can befool a user into thinking that the file is from a trusted source.
The vulnerability can easily allow hackers to conduct man-in-the-middle attacks and access confidential information of users by decrypting it. It is suggested that all versions of Windows 10 (Windows Server 2016 and Windows Server 2019) have been affected by the flaw.
For the uninitiated, man-in-the-middle attacks happen when a hacker intrudes an alters two parties' communications and make them believe they are directly communicating.
According to NSA, the flaw hasn’t been exploited in the wild. However, it is a critical one. To solve the issue, Microsoft has released a security patch of January 2020.
Users are advised to immediately update to the security update as soon as they receive it. The security patch is said to fix around 50 flaws of Windows.