Do you keep up with your Windows Updates?

Public Key Infrastructure Vulnerabilities

Windows systems have long been a target for attackers. One of the most recent of those attacked effects the Public Key Infrastructure (PKI) and its ability to ensure confidentiality, authentication, integrity, and non-repudiation of data and entities. Neal Zitring, Technical Director of the Cybersecurity Directorate of the United States National Security Agency (NSA) says “This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them.”

The vulnerability, known as CVE-2020-0601, was first discovered and reported by the NSA on 14 January 2020. According to a recent tweet from Brian Krebs, an American journalist best known for his coverage of cybercrime: “Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed ‘Turn a New Leaf’ aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public.”

The National Institute of Standards and Technology (NIST) describes in its National Vulnerability Database that CVS-2020-0601 is “A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability’.” It is also described as a zero-day exploitation meaning that there was no advanced notice that the vulnerability exists.

This vulnerability for would be attackers is a golden opportunity to pose as legitimate user or resource with supporting credentials. If not mitigated, the very fabric of trust on which the internet itself exists would collapse. 

Mitigation is rather simple. Windows Update will automatically download and install the patch for the vulnerability. If Windows is not set to auto update or a stand alone patch is needed it can be downloaded from Microsoft directly at: