Microsoft today released a set of cumulative updates for all supported Windows 10 versions. The updates resolve a critical vulnerability in Windows 10.
Here are some important details related to these updates:
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
Also, check out the following document.
The released updates are as follows:
- Windows 10, version 1903+ Windows 10, version 1909: KB4528760 (OS Builds 18362.592 and 18363.592)
- Windows 10, version 1809: KB4534273 (OS Build 17763.973). Additionally, the update resolves an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.
- Windows 10, version 1803: KB4534293 (OS Build 17134.1246)
- Windows 10, version 1709: KB4534276 (OS Build 16299.1625)
- Windows 10, version 1703: KB4534296 (OS Build 15063.2254)
- Windows 10, version 1607: KB4534271 (OS Build 14393.3443). Additionally, the update resolves an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.
- Windows 10, initial release: KB4534306 (OS Build 10240.18453)
- Find Which Windows 10 Edition You Have Installed
- How to find the Windows 10 version you are running
- How to find the Windows 10 build number you are running
- How to install CAB and MSU updates in Windows 10
Source: Windows Update History