The existence of a major vulnerability in Windows 10 was confirmed on Jan 14 2020 by the NSA. This is a critical bug that impacts millions of windows 10 users worldwide. Ann Newberg, director cybersecurity NSA, disclosed the vulnerability to Microsoft. Reporting of vulnerability is considered an unprecedented step by the NSA as they chose to inform Microsoft to help them release a patch instead of using the information for internal intelligence work.
The vulnerability is in Microsoft’s CryptoAPI services which help validate digital certificates that are used to authenticate when Windows checks for it on user’s device.
The attackers can use the bug to undermine the protection and take control of the system. The attacker can exploit it to be man-in-the middle and decrypt confidential information on user connections to the affected software. Microsoft said that this vulnerability affects Windows 10, Windows Server19 and Windows Server 2016 OS. It is reported by both Microsoft and the NSA that the bug has not been actively exploited since the patch release.
We urge all organizations to patch their systems immediately. The patch was released by Microsoft on Tuesday. For those with automated update settings patching would have been done. Those who have set updates to manual, must update it as soon as possible.