Microsoft on Tuesday patched an extremely serious security vulnerability that exists in a core encryption component of all versions of Windows. The National Security Agency found and reported this flaw.
The vulnerability affects the encryption of digital signatures used to verify content, including software or files. If exploited, hackers may allow criminals to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:
- HTTPs connections
- Signed files and emails
- Signed executable code launched as user-mode processes
Microsoft declined to confirm or provide more details in a statement.
“We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”
Jeff Jones, a senior director at Microsoft said in a statement Tuesday: “Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible.”