Security News > 2020 > January > Serious Microsoft crypto vulnerability – patch right now

One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data that are used to vouch for online services you use or files you load. Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser's address bar.

The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority to sign your certificate to vouch for you; and your browser or operating system - in this case, Microsoft's CryptoAPI, vouches for the CA. Digital certificates considered important.

The digital certificate system isn't perfect - you will find numerous articles on Naked Security about incorrectly signed certificates; CAs who were so sloppy that their certificates were invalidated; and company certificates stolen by crooks so that they could give their own apps or web pages someone else's imprimatur.

Digital certificates are important - very important, in fact - in giving you a better-than-average chance of deciding that you are at least on the right website, or that you have downloaded the software you intended.

We don't yet know how hard it is to produce rogue certificates that will pass muster, and Microsoft understandably isn't offering any instructions on how to do it.

News URL

https://nakedsecurity.sophos.com/2020/01/14/serious-microsoft-crypto-vulnerability-patch-right-now/