Microsoft patches serious PKI vulnerability


By Dylan Bushell-Embling
Wednesday, 15 January, 2020

Microsoft patches serious PKI vulnerability

Microsoft has released a patch for a serious vulnerability in Windows discovered by the US National Security Agency that can be exploited to undermine public key infrastructure trust.

The spoofing vulnerability in the way Windows CryptoAPI validates elliptic curve cryptography (EEC) certificates could be exploited by using a spoofed code-signing certificate to sign a malicious executable in a way that makes it appear the file was from a trusted source.

According to Microsoft, a user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.

Exploiting the vulnerability could also allow attackers to conduct man in the middle attacks and decrypt user confidential information.

The security update ensures that Windows CryptoAPI completely validates ECC certificates to prevent these exploits.

According to the NSA, applying the patch is the only comprehensive means to mitigate the risk of the vulnerability.

The NSA reportedly took the unprecedented step of reporting the exploit to Microsoft rather than incorporating it into its own attack toolkit due to the potential severity of the vulnerability.

The agency has also published its own security advisory about the exploit, recommending that enterprises prioritise patching endpoints that have a high risk of exploitation, such as those directly exposed to the internet or regularly used by privileged users.

Chris Morales, head of security analytics at threat detection and response platform developer Vectra AI, said the NSA deserves kudos for reporting the vulnerability to Microsoft.

“I'd be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past. It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations,” he said.

“It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”

Image credit: ©stock.adobe.com/au/MR

Related Articles

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

How attackers are weaponising GenAI through data poisoning and manipulation

The possibility for shared large language models to be manipulated through data poisoning...

Content from other channels on our network

'Curving' light beams could enable terahertz comms

Panasonic offers private 5G network testing in Munich

Antenna upgrade enables better sewer management

60 million Aust drone flights predicted for 2043

The fire on Marley's Hill

Machine learning used to create fabric-based touch sensor

Hybrid sodium-ion battery can be charged in a few minutes

Researchers develop energy-efficient probabilistic computer

Wearable sensor measures real skin feel

Monash University home to three electron microscopes

EV future for Monash Uni

Shell Cove battery launched on NSW South Coast

Million-dollar rooftop solar for Kimberley hospital

Protecting wildlife from electrical assets — and vice versa

Immersive VR training for electricians

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd