The bug is located in crypt32.dll and compromises authentication on Windows desktops and servers, and also makes it possible to spoof digital signatures. Among other things, the bug makes it possible for malware to pose a a legitimate piece of software.
The vulnerability is in the component of Windows' cryptography library that validates X.509 certificates, somehow bypassing the chain of trust used to validate the certificate. Microsoft's advisory on the vulnerability said that the bug could be used to fake the software-signing certificate on a malicious version of an application, making it look like it came from a trusted developer. However, the risk extends beyond just code-signing. A National Security Agency advisory indicates that the vulnerability could be used for man-in-the-middle attacks against secure HTTP (HTTPS) connections, as well, and to spoof signed files and emails.Affected versions of Windows include Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.
Will confirms all X.509 validation broken, not just code signing. Okay, I'm back on the hype train, that's pretty bad. https://t.co/6rBV1lu4Yk
— Tavis Ormandy (@taviso) 14 januari 2020
Via: ARS Technica