Windows CryptoAPI Spoofing Vulnerability Revealed
This week Microsoft disclosed the existence of a critical vulnerability in how Windows operating systems validate ECC-based x.509 certificates and released patches for affected versions that are supported.
We highly recommend immediate application of the appropriate patch to all Windows servers and client systems to prevent exploits based on this newly discovered flaw.
On January 14 Microsoft revealed the Windows CryptoAPI Spoofing Vulnerability. This vulnerability in how Windows deals with Elliptic Curve Cryptography (ECC) makes it possible to create identity-spoofed TLS / SSL and Code Signing certificates. Though we’re aware of no evidence suggesting that this exploit has been used in the wild, by its nature such an attack could be very damaging. Since the exploit’s announcement, white hat security researchers have published proofs-of-concept with unpatched Windows systems.
Sectigo strongly recommends immediate patching of all Windows systems to prevent such an exploit.
Note that this vulnerability does not affect your issued certificates in any way, whether or not they use ECC. You do not need to reissue Code Signing nor TLS certificates, and you do not need to stop using ECC.