Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.
Hot on the heels of the Windows 7 demise up pops a new threat targeted at Microsoft Windows 10 users. If there’s anything we’ve learned over the years, it’s to apply all security patches as soon as they become available. That lesson was reinforced in a big way late last week when researchers at the NSA (National Security Agency) discovered a way to exploit a Microsoft Windows vulnerability. More specifically, the Windows CryptoAPI, which is used to process digital certificates that attest to the validity of software via code signing. This vulnerability could allow an attacker to craft a certificate that appears to be able to be traced to a trusted root certificate authority.
By exploiting this vulnerability, an attacker could be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This could allow various actions such as interception and modification of TLS-encrypted communications or spoofing an Authenticode signature. The vulnerability could also leave organizations exposed to possible spoofing of websites as well as software.
What makes this Windows vulnerability notable is it’s potential to exploit the very basic foundational security technology that Microsoft Windows employs to determine whether an application is trustworthy. By tricking the digital certificate verification, cyber-attackers can introduce malware that is then considered legitimate and trusted by Windows 10.
Microsoft Quickly Released a Patch for this bug
Once Microsoft was alerted to the Windows vulnerability, it immediately issued a patch. While most companies have undoubtedly applied it, others may be behind the curve.
Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.
While it might seem odd that a major vendor like Microsoft could miss something like this, it’s not all that uncommon. Cryptography can be very complex to implement and thus presents opportunities for attackers. Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates.
Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.
Don’t wait on Microsoft for this update – Here’s what to do…
Windows Update is found within Settings. To get there, select the Start menu, followed by the gear/settings icon to the left. In there, choose Update & Security and then Windows Update on the left. Check for new Windows 10 updates by choosing Check for updates to make sure your computer is fully up to date and protected.