Microsoft has now also
confirmed the vulnerability. It stated that "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates." This means that an attacker could be able to exploit this, in a way that the NSA said "makes trust vulnerable," by using a spoofed code-signing certificate. By so doing, a malicious file could appear to come from a legitimate and trusted source. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft said, adding that "the security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates." All Windows 10 users are advised to apply the Patch Tuesday update as soon as it becomes available to them