The National Security Agency recently discovered a major cryptographic flaw in Microsoft’s low-level code within their operating system. This flaw, now known as CurveBall, was found within Windows CryptoAPI and effects the way Elliptic Curve Cryptography (ECC) x.509 certificates are validated, giving attackers the ability to “undermine how Windows verifies cryptographic trust,” as stated in the NSA’s Cybersecurity Advisory on this issue.
On 14th January 2020, Microsoft released a software update to fix this serious security vulnerability. Yet, due to the potentially severe nature of this vulnerability, they first made the patch available to the US government, military and “other high-value customers/targets that manage key Internet infrastructure.” If exploited by attackers, it would give them the ability to spoof digital signatures, essential for digital security and trust.
Initially reported by Brian Krebs at KrebsOnSecurity, this story has since made headlines in major news outlets, such as the Washington Post, Tech Crunch, and Wired, all of which include public comments from Anne Neuberger, director of the NSA’s Cybersecurity Directorate.