The US National Security Agency has warned Microsoft about a vulnerability in Windows 10 that can be abused to make malware look like a legitimate program.
On Tuesday, Microsoft released a patch to fix the flaw, which also affects Windows Server 2016 and Windows Server 2019.
The "spoofing vulnerability" involves the operating system's CryptoAPI, also known as Crypt32.dll, which can be used to encrypt and decrypt data.
The same API can also validate whether a Windows application is legit by authenticating that the program's digital certificate came from the trusted software developer.
However, the NSA uncovered a flaw in the CryptoAPI's process that can prevent Windows from completely authenticating a certificate.
"An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source," Microsoft said in today's advisory.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider."
The company went on to warn the vulnerability can pave the way for "man-in-the-middle attacks." This could involve a hacker distributing a legitimate-looking program when it's actually been rigged to act as spyware.
This you are strongly encouraged to implement the recently released CVE-2020-0601 patch immediately.
— NSA/CSS (@NSAGov)
https://t.co/czVrSdMwCR
The same vulnerability can also spoof the encrypted HTTPS connections over the internet, as well signed files and emails, the NSA said in rare advisory published on Tuesday.
"The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors.
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency warned.
The vulnerability, dubbed CVE-2020-0601, has been grabbing headlines after security journalist Brian Krebs initially reported the flaw was "extraordinarily serious," resulting in Microsoft quietly shipping a patch to branches of the US military and other high-value enterprise customers.
The good news is that Microsoft has uncovered no one abusing the vulnerability yet.
Older operating systems, such as Windows 7, also remained unaffected.
Nevertheless, the NSA predicts hackers will both quickly create and distribute tools to remotely exploit the flaw.
As bad as CVE-2020-0601 may sound, the vulnerability itself has no capability to remotely take over your PC.
You'd still have to download the piece of malicious software and execute it.
At the same time, most users rely on third-party browsers from Google, Mozilla, and Apple to visit websites.
Recommended by Our Editors
Instead, the real threat is a hacker infiltrating websites or server networks to distribute software that appears to be legitimate, but is actually malware.
It's likely why the NSA is urging enterprises in particular to patch the flaw.
"This vulnerability may not seem flashy, but it is a critical issue.
Trust mechanisms are the foundations on which the internet operates—and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations," NSA's technical director Neal Ziring wrote in a post.
According to Ziring, the agency shared details of CVE-2020-0601 "quickly" with Microsoft after discovering the flaw.
Whether the NSA ever used the vulnerability for spying purposes is unknown.
But the agency has received flak for previously keeping secret a more serious Windows bug, called EternalBlue, which was later used by the ransomware WannaCry to attack PCs across the world in 2017.
You can download today's fix as part of Microsoft's patch Tuesday package from the company's website.
Microsoft will also roll out the fix to your Windows 10 machine if you've turned on automatic updates.