Update Windows 10 Immediately (14 Jan 2020)

I work in cybersecurity. Most cybersecurity news articles are hyped up way too much; however, today’s announcement about Windows is very serious. The US Gov’t is recommending everyone update immediately.

**Update Windows 10 Immediately**

If you are using Windows 10, Windows Server 2016 or Windows Server 2019 at work or at home, update your computer immediately.

The risks of this vulnerability are so high that it’s worth taking time out of your day to update your computer.

How do I update?

1. Select the Start button

2. Go to Settings > Update & Security > Windows Update

3. Click “Check for Updates”

You may need to click “Check for update” twice in order to have the update appear.

4. Download & Install the updates (may require Windows to restart)

What does the update look like?

You’ll see a few updates for “2020–01” and “January 2020”

Photo by Panos Sakalakis on Unsplash

Why the urgency?

The NSA disclosed a vulnerability to Microsoft that affects all X.509 validation and code signing. This enables an attacker to do a lot of bad things, like intercept your encrypted browser traffic, impersonate as a legitimate entity (both for software and websites), etc. The NSA is encouraging everyone to implement the patch immediately. In short, this is a really bad vulnerability. Those who don’t patch are almost guaranteed to get hacked in the coming days, weeks and months.

Microsoft silently issued patches to the US Military and Critical Infrastructure clients (e.g., power companies) over the past little bit so they had extra time to patch. This underscores just how critical this bug is.

Is this vulnerability being exploited in the wild?

At the moment, neither Microsoft nor the NSA have seen this vulnerability exploited in the wild; however, criminals and nation-states will create exploits for this in short order. This is why people need to update their Windows 10 computers ASAP.

Where can I learn more?

*NSA’s notice: https://twitter.com/NSAGov/status/1217152211056238593

*KrebsOnSecurity: https://twitter.com/briankrebs/status/1217146512406433792

*Carnegie Mellon University’s analysis: https://kb.cert.org/vuls/id/849224/

*Washington Post’s article (note, though, that the NSA has not stated if they’ve exploited this vulnerability): https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html (edited)