Daily Archives: 2020-01-14

Article note: Oh, so that's what the dire rumors have been about. Windows' certificate validation is broken in a way that could subvert both network validation and code signing (eg. MITMs could inject bogus updates), it looked like enough of an infrastructure threat that that the NSA disclosed instead of using it, and y'all want to patch now.

Enlarge / The NSA says to patch now. (credit: National Security Agency)

Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.

Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."

However, researchers outside Microsoft—including Google's Tavis Ormandy—have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.