Security News > 2020 > January > Serious Microsoft crypto vulnerability – patch right now
One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data that are used to vouch for online services you use or files you load. Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser's address bar.
The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority to sign your certificate to vouch for you; and your browser or operating system - in this case, Microsoft's CryptoAPI, vouches for the CA. Digital certificates considered important.
The digital certificate system isn't perfect - you will find numerous articles on Naked Security about incorrectly signed certificates; CAs who were so sloppy that their certificates were invalidated; and company certificates stolen by crooks so that they could give their own apps or web pages someone else's imprimatur.
Digital certificates are important - very important, in fact - in giving you a better-than-average chance of deciding that you are at least on the right website, or that you have downloaded the software you intended.
We don't yet know how hard it is to produce rogue certificates that will pass muster, and Microsoft understandably isn't offering any instructions on how to do it.
News URL
https://nakedsecurity.sophos.com/2020/01/14/serious-microsoft-crypto-vulnerability-patch-right-now/
Related news
- Microsoft discloses Office zero-day, still working on a patch (source)
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure (source)
- FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability (source)
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- CISA Urges Federal Agencies to Patch Versa Director Vulnerability by September (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)
- Fortra Issues Patch for High-Risk FileCatalyst Workflow Security Vulnerability (source)
- Atlassian Confluence Vulnerability Exploited in Crypto Mining Campaigns (source)
- Week in review: Vulnerability allows Yubico security keys cloning, Patch Tuesday forecast (source)