Skip to main content

Northwestern IT Addresses Microsoft Security Flaw

Posted Date: 15 Jan 2020

Effective Date: 15 Jan 2020

This week, Microsoft announced a major security flaw affecting Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Windows 7, 8, and 8.1 are not affected.

As disclosed to Microsoft by the National Security Agency (NSA), a spoofing vulnerability exists that could allow hackers to intercept seemingly secure communications. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider. A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

Impact on the University Community

Since learning of the vulnerability, Northwestern IT immediately began assessing the exposure of campus systems and has not detected any exploits to date at the University.

It is extremely important for all users, system administrators, and those in managed environments to apply the latest patches to Windows operating systems on home and Northwestern devices (desktops, laptops, and servers). Once patches are applied, devices should be rebooted to complete the patches installation.

Northwestern IT is currently reviewing network and enterprise computing infrastructure to determine the extent of the exposure and prioritizing patching. Distributed Support Services customers will also be patched as updates become available.

Additional information, including details regarding patching of systems that may interrupt service delivery, will be distributed as it becomes available.

End User Impact

Northwestern IT is addressing a major security flaw announced by Microsoft that affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Back to top