Security News > 2020 > January > NSA Discloses Serious Windows Vulnerability to Microsoft
The U.S. National Security Agency has informed Microsoft that Windows is affected by a potentially serious spoofing vulnerability that could allow hackers to make a malicious file appear to come from a trusted source or conduct man-in-the-middle attacks.
The NSA reached out to reporters to inform them about the vulnerability before Microsoft released its patches.
Microsoft, which has rated the vulnerability "Important," says it exists in the way the CryptoAPI component in Windows validates Elliptic Curve Cryptography certificates.
The NSA has described the vulnerability as critical and pointed out that it could impact trust in HTTPS connections, signed files and emails, and signed executable code.
"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available," the NSA said in its advisory.
News URL
Related news
- Microsoft asks Windows Insiders to try out the controversial Recall feature (source)
- Microsoft blocks Windows 11 24H2 on some PCs with USB scanners (source)
- Security? We've heard of it: How Microsoft plans to better defend Windows (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- Microsoft says having a TPM is "non-negotiable" for Windows 11 (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Microsoft lifts Windows 11 24H2 block on PCs with USB scanners (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- Microsoft says Auto HDR causes game freezes on Windows 11 24H2 (source)
- Microsoft adds another problem to the Windows 11 24H2 naughty list (source)