Note that this does not seem to be limited to software signing, but affects all X.509 certificates[0]. This means it can be used for example to man in the middle HTTPS connections.
I'm surprised to not see patches for Windows 7 and 8.1 (vuln is rated "important", 7 ends extended support today, 8.1 still has 3 years to go, so both should've qualified). I guess the vulnerability is new in Windows 10?
7 comments
[ 3.1 ms ] story [ 30.6 ms ] threadRelated thread: https://news.ycombinator.com/item?id=22039481
0: https://mobile.twitter.com/taviso/status/1217146026923978752
https://archive.md/tykYn
[0] https://docs.microsoft.com/en-us/windows-server/security/tls...
https://support.microsoft.com/en-us/help/4057281/windows-7-s...
This sounds more like a key leak than a code exploit, no?