After Adobe today releases its first Patch Tuesday updates for 2020, Microsoft has now also published its January security advisories warning billions of users of 49 new vulnerabilities in its various products.
CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability
According to an advisory released by Microsoft, the flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for handling encryption and decryption of data.
The issue resides in the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates that is currently the industry standard for public-key cryptography and used in the majority of SSL/TLS certificates.
Exploitation of the vulnerability allows attackers to abuse validation of trust between:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
"This vulnerability is classed Important and we have not seen it used in active attacks," the microsoft said in a separate blog post.
There is no mitigating or workaround available for this vulnerability, so you're highly recommended to install the latest software updates by heading on to your Windows Settings → Update & Security → Windows Update → clicking 'Check for updates on your PC.'