Update Windows 10 as soon as possible to patch broken X.509 certificate validation

Written 5 months ago by IanDorfman

If you're using Windows 10, make sure to update your install of it as soon as possible to patch a major security risk.

The United States National Security Agency has released an advisory notifying Small Windows 10 iconWindows 10 users to update their operating system as quickly as possible. The portion of Windows 10's cryptography library that validates public key certificates that utilize the X.509 standard contains a vulnerability. This vulnerability can be used to forge a software signing certificate with Windows not realizing that it's fake. This can be used by attackers to dupe users into installing malicious versions of applications.

The NSA advisory also mentions that the vulnerability can be used to spoof signed emails and files, as well as performing man-in-the-middle attacks between a Windows 10 install and any secure HTTPS connection. The advisory states the following:

"Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."

No active exploit has been discovered that uses this exploit, but it's still highly recommended to update your installation of Windows 10 as soon as possible.

Further coverage:
Ars Technica