Today's Windows security update is historic: NSA is why

By Chris Burns/Jan. 14, 2020 4:04 pm EST

A software update released today addresses a historic report was made by the National Security Agency (NSA) to Microsoft about Windows OS. The situation is historic due to the history of the groups – this is the very first time that the United States NSA has reported a security vulnerability they've found in Windows OS to Microsoft. This is the first such report made to Microsoft by the NSA in the history of the NSA.

In the past, it was made clear that the NSA exploited Windows loopholes, without bothering to let Microsoft know that said loopholes were live in effect. If the situation weren't horrible enough when Microsoft suggested the NSA loopholes had been patched, the monster called WannaCry galloped through massive numbers of computers, collecting hundreds of thousands of dollars worth of Bitcoin as it rode.

Here in January of 2020, it would appear that the NSA voluntarily reported a loophole before it found its way to hacker/leaker hands. It's a good thing, too, because this one could've been just as much a monster as the example above. This new vulnerability is code named CVE-2020-0601 and otherwise called "NSACrypt" to make headlines easy.

"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," wrote a Microsoft security guidance specialist. "An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider."

Once the exploit was in place, the malicious party could roll with a man-in-the-middle attack and "decrypt confidential information on user connections to the affected software."

The fix comes in the form of a software update that should be available to all Windows 10 users (and a few others) starting this week. Windows 10, Windows Server 2016, Windows Server 2019, and a few others can be found on the Security Updates list. Other issues besides the vulnerability discovered by the NSA can be found in the Security Guidance list for January 2020.

You may end up getting this security update automatically. To check to see if the update is available now and has not yet been downloaded/delivered/loaded, tap your Start button – go to Settings – Update & Security – Windows Update.