Windows uses a document link library, Crypt32.dll, to keep track of trusted certificate authorities. There's a flaw in the .dll (which Microsoft recently posted a patch for) which allows it to incorrectly approve malicious software and web sites. The vulnerability is named CVE-2020-0601. Windows updates are not vulnerable to a CVE-2020-0601 attack, so there's no danger in updating your operating system with files that have been incorrectly authorized.

This is the first time that the National Security Agency has made a Windows vulnerability public. The United States government follows a Vulnerabilities Equities Process in determining whether or not to disclose computer security flaws to the public.

Information about CVE-2020-0601 is posted in the National Vulnerability Database. NIST assigned the vulnerability a common vulnerability scoring system score of 8.1 on a scale of 10.