Microsoft has addressed a severe bug present in all versions of Windows that allowed malicious parties to spoof security certificates – allowing attackers to execute malicious attacks and access sensitive information.
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” Microsoft said.
According to the company, an attacker could exploit the vulnerability by using a spoofed certificate to sign a malicious executable.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.
The company added that malicious parties could use the aforementioned executable to run man-in-the-middle attacks or decrypt confidential information.
Microsoft has released a security update which addresses this vulnerability by “ensuring that Windows CryptoAPI completely validates ECC certificates”.
Users are advised to check for available updates – the Windows 10 update can be downloaded here.
Massive security risk
An advisory released by the NSA said that this flaw could have far-reaching security implications.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the agency said.
“The consequences of not patching the vulnerability are severe and widespread.”
Security professionals, speaking with KrebsOnSecurity, said that it could be mere hours before experts develop ways to exploit this bug, and KrebsOnSecurity said it has seen indications that such methods are already being developed.
The issue has been described as “extraordinarily serious”, with patches being pushed to military and intelligence organisations ahead of the mainstream security update.