Microsoft has fixed a large vulnerability in Windows. The vulnerability was discovered by the American National Security Agency (NSA). The problem was officially called CVE-2020-0601. It affected Windows 10, Windows Server 2016, 2019 and Server version 1803.

The error was described as a crypto library bug, allowing cyber criminals to spoof certificates. In this way, remote code execution can take place by bypassing the Public Key Infrastructure (PKI) security framework.

“PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways,” the NSA Central Security Service stated. “The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.”

New policy

According to Silicon Angle, this is the first time the NSA has publicly revealed a vulnerability. In a conversation with Bleeping Computer, Director of Cyber Security Anne Neuberger indicates that the NSA wanted to go public to build trust, but also as part of a new transparency policy. The NSA has often been accused of withholding certain vulnerabilities, sometimes even using them for their own purposes.