Microsoft patches serious PKI vulnerability
Microsoft has released a patch for a serious vulnerability in Windows discovered by the US National Security Agency that can be exploited to undermine public key infrastructure trust.
The spoofing vulnerability in the way Windows CryptoAPI validates elliptic curve cryptography (EEC) certificates could be exploited by using a spoofed code-signing certificate to sign a malicious executable in a way that makes it appear the file was from a trusted source.
According to Microsoft, a user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.
Exploiting the vulnerability could also allow attackers to conduct man in the middle attacks and decrypt user confidential information.
The security update ensures that Windows CryptoAPI completely validates ECC certificates to prevent these exploits.
According to the NSA, applying the patch is the only comprehensive means to mitigate the risk of the vulnerability.
The NSA reportedly took the unprecedented step of reporting the exploit to Microsoft rather than incorporating it into its own attack toolkit due to the potential severity of the vulnerability.
The agency has also published its own security advisory about the exploit, recommending that enterprises prioritise patching endpoints that have a high risk of exploitation, such as those directly exposed to the internet or regularly used by privileged users.
Chris Morales, head of security analytics at threat detection and response platform developer Vectra AI, said the NSA deserves kudos for reporting the vulnerability to Microsoft.
“I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations,” he said.
“It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”
Privacy International has released a petition, calling on Google to help fight vulnerabilities in...
Across the festive season we'll be reprising some of our best articles from 2019. Today we...
A massive trove of around 4 billion customer records has been found online sitting on an...