A crypto-spoofing bug affecting Windows 10 users has been fixed as part of Microsoft's January Patch Tuesday security bulletin. The vulnerability could allow hackers to spoof a code-signing certificate, vital to validating executable programs in Windows, and make it appear as if an application was from a trusted source. A successful attack could also allow the hacker to conduct man-in-the-middle attacks and decrypt confidential information. The vulnerability was found by the U.S. National Security Agency ( NSA ).
he vulnerability, CVE-2020-0601, exists in the way Windows Crypt32.dll validates Elliptic Curve Cryptography certificates. Core CryptoAPI functions include encrypting and decrypting data using digital certificates. The CryptSignMessage function creates a hash of the specified content, signs the hash, and then encodes both the original message content and the signed hash. On unlatched systems, hackers can evade next-gen AV protection and Microsoft's own checks and balances.
It is important that all Windows 10 users apply the patch. Every Windows device relies on trust established by TLS and code-signing certificates, which act as machine identities. The flaw allows hackers to break these identities and Windows won't be able to tell the difference between malware and Microsoft software.