Patch Windows 10 and Server now because certificate validation is broken

by
Sean Gallagher
from Ars Technica - All content on (#4XXBP)
nsaadvisory-800x501.jpg

Enlarge / The NSA says to patch now. (credit: National Security Agency)

Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.

Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."

However, researchers outside Microsoft-including Google's Tavis Ormandy-have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.

Read 4 remaining paragraphs | Comments

index?i=GYRdbI89ER8:EWb42E6SYc0:V_sGLiPB index?i=GYRdbI89ER8:EWb42E6SYc0:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments