New Windows CryptoAPI vulnerability revealed; immediate action recommended
New Windows CryptoAPI vulnerability revealed
Microsoft has disclosed the existence of a critical vulnerability in how Windows operating system validates ECC based x.509 certificates and has released patches for affected versions that are supported. We highly recommend immediate application of the appropriate patch to all Windows servers and client systems to prevent exploits based on this newly discovered flaw.
On January 14 Microsoft revealed the Windows CryptoAPI Spoofing Vulnerability. This vulnerability in how Windows deals with Elliptic Curve Cryptography (ECC) makes it possible to create identity-spoofed TLS and Code Signing certificates. Though we’re aware of no evidence suggesting that this exploit has been used in the wild, by its nature such an attack could be very damaging.
SSL247 strongly recommends immediate patching of all Windows systems to prevent such an exploit. The full set of security updates can be found here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
Note that this vulnerability does not affect your issued certificates in any way, whether or not they use ECC. You do not need to reissue Code Signing nor TLS certificates, and you do not need to stop using ECC.
For more information please contact one of our security consultants:
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!