In the January 2020 Patch Tuesday, Micrcosoft patches vulnerability CVE-2020-601.
The NSA gave notice for everyone to patch immediately. Here are some notes I collected on the threat this vulnerability causes.
The flaw is in the ECC crypto in Microsoft Crypto Library.
- Most code signing uses RSA crypto
- Biggest threat is to TLS protocols which could allow a bad guy to create a MIM attack (man in the middle)
- The Chrome and Firefox browsers do not use Microsoft CRYPTO library so no risk for MIM there
- IE and Edge use the Microsoft CRYPTO so they are vulnerable.
Bottom line: Patch.