Yesterday, Microsoft released a patch which fixes a critical spoofing vulnerability that exists in the Windows CryptoAPI library, CRYPT32.DLL. This flaw can facilitate remote code execution, man-in-the-middle, and other attacks through a wide variety of delivery methods, including browsers and emails. Encryption is not an effective defense in this case. Detection of an attack using this method is unlikely because the flaw allows forged traffic to appear to be legitimate. The official guidance is that the issue exists in all Windows 10 versions and all versions of Windows Server 2016 and Windows Server 2019; other sources have reported that all versions of Windows may be affected.
Full details of the vulnerability can be found on Microsoft’s Security Response Center website and an NSA briefing paper.
This has been reported in detail elsewhere, but it bears repeating: this is a vulnerability which is highly likely to be exploited sooner than later. Don’t wait.
