Microsoft has released a security update today to fix "a broad cryptographic vulnerability" impacting the Windows operating system.
The bug was discovered and reported by the US National Security Agency (NSA), NSA Director of Cybersecurity Anne Neuberger said in a press call today.
The CVE-2020-0601 bug
The vulnerability, tracked as CVE-2020-0601[1], impacts the Windows CryptoAPI[2], a core component of the Windows operating system that handles cryptographic operations.
According to a security advisory published today, "a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates."
Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."
But besides faking file signatures, the bug could also be used to fake digital certificates used for encrypted communications.
"A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft also said.
According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.
Microsoft and the NSA said they have not seen any active attacks exploiting this bug prior to today's patch.
NSA's first credit
The bug is considered as bad as it gets. Neuberger said the agency took an unprecedented step by reporting the bug, instead of hoarding the vulnerability and using it for its offensive tools and operations.
The CVE-2020-0601 vulnerability marks the first time when Microsoft credited the NSA for reporting a bug. Other cyber-security agencies have previously reported major vulnerabilities to Microsoft. For example, the UK National Cyber Security Centre reported the now infamous BlueKeep bug to Microsoft back in May 2019.
Neuberger said the NSA reporting this bug is a change in the agency's general