Serious Microsoft crypto vulnerability – patch right now – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

The burning question of the moment is, “What about CVE-2020-0601?”

That’s the bug number assigned to one of the security holes fixed in Microsoft’s January 2020 Patch Tuesday updates.

Of the 50 bugs patched this month, that’s the Big One, officially described by Microsoft as a “Windows CryptoAPI Spoofing Vulnerability“.

To explain.

The CryptoAPI, partly implemented in a Windows file called crypt32.dll (you’ll also hear that filename used to describe this bug), is the way that many, if not most, Windows programmers add encryption functionality into their software.

Instead of writing their own encryption routines – something Naked Security regularly urges you not to do, because it’s easy to make dangerous mistakes! – many programmers use the CryptoAPI built into Windows itself.

One of the functions that the CryptoAPI offers is to check and validate so-called digital certificates, which are blocks of cryptographic data that are used to vouch for online services you use (such as websites) or files you load (such as programs).

Digital certificates are the cryptographic sauce that puts the S into HTTPS, and the padlock into your browser’s address bar.

They are also the cryptographic mechanism that vouches for the vendor of any digitally signed software you use, and makes sure that the software hasn’t been tampered with.

The idea is that you create a certificate to vouch for your website or your software; you get a so-called Certificate Authority (CA) to sign your certificate to vouch for you; and your browser or operating system – in this case, Microsoft’s CryptoAPI, vouches for the CA.