After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products.
What’s so special about the latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States.
What’s more interesting is that this is the first security flaw in Windows OS that the NSA reported responsibly to Microsoft, unlike the Eternalblue SMB flaw that the agency kept secret for at least five years and then was leaked to the public by a mysterious group, which caused WannaCry menace in 2017.
CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
According to an advisory released by Microsoft, the flaw, dubbed ‘NSACrypt‘ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for handling encryption and decryption of data.
The issue resides in the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates that is currently the industry standard for public-key cryptography and used in the majority of SSL/TLS certificates.