Security News > 2020 > January > Serious Microsoft crypto vulnerability – patch right now
One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data that are used to vouch for online services you use or files you load. Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser's address bar.
The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority to sign your certificate to vouch for you; and your browser or operating system - in this case, Microsoft's CryptoAPI, vouches for the CA. Digital certificates considered important.
The digital certificate system isn't perfect - you will find numerous articles on Naked Security about incorrectly signed certificates; CAs who were so sloppy that their certificates were invalidated; and company certificates stolen by crooks so that they could give their own apps or web pages someone else's imprimatur.
Digital certificates are important - very important, in fact - in giving you a better-than-average chance of deciding that you are at least on the right website, or that you have downloaded the software you intended.
We don't yet know how hard it is to produce rogue certificates that will pass muster, and Microsoft understandably isn't offering any instructions on how to do it.
News URL
https://nakedsecurity.sophos.com/2020/01/14/serious-microsoft-crypto-vulnerability-patch-right-now/
Related news
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Malicious Microsoft VSCode extensions target devs, crypto community (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)