NSA discovers major security vulnerability in Windows 10

H/T to my friend Echo Charlie via AlertsUSA:

The National Security Agency has alerted Microsoft in recent weeks to a significant issue affecting its Windows 10 operating system. U.S. government officials describe the vulnerability in Windows 10 – ubiquitous within corporations and among consumers – as “especially severe” and one that Microsoft customers should work to fix immediately by updating their systems.

The vulnerability is found in a decades-old Windows cryptographic component known as CryptoAPI. The flaw can be exploited to allow the spoofing of the digital signature of software, allowing the installation of malware that is posing as a legitimate application.

Operating systems impacted include Windows 10 (all versions), as well as Windows Server 2016 & 2019.

In a sign of how severe officials considered the flaw, the Department of Homeland Security issued an emergency directive on this afternoon instructing federal agencies to take a series of steps to apply patches to their systems immediately. DHS also said it would hold calls with private industry partners warning about the risks posed by the flaw.

Although Emergency Directive 20-02 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others also patch these critical vulnerabilities as soon as possible. Review the following resources for more information:

National Security Agency Cybersecurity Advisory

A security update was released by Microsoft on January 14, 2020, and customers who have already applied the update, or have automatic updates enabled, should already be protected.

All the more reason to be running a version of Linux. Wanna learn how to protect yourself in the digital world? We’ve got a class for that in March.