Security News

Several industry professionals have shared thoughts with SecurityWeek about the vulnerability, its impact, and the possible reasons why the NSA disclosed it rather than using it in its own operations. "While this is a serious vulnerability that should be patched, there's no need to panic. When you look at the vulnerability and the number of affected systems, this does not reach the level of Heartbleed or WannaCry scenarios from the past. Also, our research shows that behavioral analysis of malware still detects malware as malicious, even if it's signed with an ostensibly legitimate certificate."

Was there a big, bad security bug in Microsoft Windows waiting to be announced the next day? This time, the NSA gave the bug to Microsoft to patch the hole proactively, and here we are!

Several proof-of-concept exploits have already been created - and some of them have been made public - for CVE-2020-0601, the crypto-related Windows vulnerability that Microsoft patched recently after being notified by the U.S. National Security Agency. Currently, there is no evidence that the vulnerability has been exploited in attacks, but PoC exploits have been created for CVE-2020-0601 much faster than many had anticipated.

A major Microsoft crypto-spoofing bug impacting Windows 10 made waves this Patch Tuesday, particularly as the flaw was found and reported by the U.S. National Security Agency. Microsoft's January Patch Tuesday security bulletin disclosed the "Important"-severity vulnerability, which could allow an attacker to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source.

Designed to exploit a vulnerability in Windows 10 and Windows Server 2016 and 2019, the bug could allow an attacker to remotely access and control an infected computer. Microsoft has responded to a Windows security bug discovered and reported by the National Security Agency by issuing a patch now available as an "Important" update for affected Windows computers.

Q4: What role does a 'private key' play here anyway, if not that in Q3? Q5: If one doesn't simply learn the original private key off of knowing the public key, is one simply able to create a new digital certificate this way, as opposed to, having learned the private key of an existing digital certificate? Did I understand this more correctly now? Q6: Could the fake private key, simply be a number like 1, something that can be guessed by anyone? Or, equally bad, any other number, that you then can use to decipher data because someone would ofc know the private key?

The U.S. National Security Agency took the unusual step Tuesday of announcing what it calls a "Severe" vulnerability in Microsoft's Windows 10 operating system ahead of Microsoft's Patch Tuesday security update. The U.S. Department of Homeland Security released a statement Tuesday ordering all federal agencies to patch the vulnerability and urging all Windows users to apply the security patch provided by Microsoft within 10 days.

Amid Uncle Sam's dire warnings, Microsoft said there is no evidence of the flaw being targeted in the wild and its severity level is listed as "Important," a step below the critical remote code execution bugs in RDP,.NET and Internet Explorer. The American spying agency wants everyone to know - to the point of even holding a press conference about CVE-2020-0601 - that it privately found and reported this diabolical cert flaw to Microsoft, and that it is a totally friendly mass-surveillance system that has turned a new leaf, wants to be on the good side of infosec researchers, and cares about your ongoing ability to verify the origin and integrity of executable files and network connections.

As forecasted, January 2020 Patch Tuesday releases by Microsoft and Adobe are pretty light: the "Star of the show" is CVE-2020-0601, a Windows flaw flagged by the NSA that could allow attackers to successfully spoof code-signing certificates and use them to sign malicious code or intercept and modify encrypted communications. The flaw only affects newer versions of Windows and Windows Server, and is found in the Windows CryptoAPI, which validates Elliptic Curve Cryptography certificates.

The U.S. National Security Agency has informed Microsoft that Windows is affected by a potentially serious spoofing vulnerability that could allow hackers to make a malicious file appear to come from a trusted source or conduct man-in-the-middle attacks. The NSA reached out to reporters to inform them about the vulnerability before Microsoft released its patches.