Singaporean regulator warns financial institutions about vulnerabilities in Microsoft Windows OS

Maria Nikolova

MAS has informed financial institutions using the affected Windows Operating Systems to take immediate action to install the relevant patches.

The Monetary Authority of Singapore (MAS) today issued a warning to financial institutions regarding vulnerabilities in the Microsoft Windows Operating System.

These vulnerabilities could allow malicious files or applications to bypass detection from security applications and gain control of the computer systems. MAS has informed financial institutions using the affected Windows Operating Systems to implement the relevant patches. Financial institutions should also take mitigating measures to prevent the vulnerabilities from being exploited.

The regulator explains that Microsoft released security updates for its Windows Operating Systems on January 15, 2020 to address 49 vulnerabilities. According to the Cyber Security Agency of Singapore (CSA), four of the vulnerabilities (CVE-2020-0601, CVE-2020-0609, CVE-2020-0610 and CVE-2020-0611) are highly critical and require immediate attention.

In particular, there is a Windows CryptoAPI spoofing vulnerability. It concerns the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a forged code-signing certificate to sign an executable file, making it appear that the file was from a trusted, legitimate source. The system or user would have no way of knowing the file was not legitimate, because the digital signature would appear to be from a trusted provider.

The security update addresses the vulnerability by ensuring that the Windows CryptoAPI validates the ECC certificates. After applying the patch, the user would be able to detect the usage of forged certificates via the Windows Event Logs.

The authorities also warn of Windows Remote Desktop Protocol (RDP) vulnerabilities. These include vulnerabilities in the Windows RDP Gateway Server, where they allow a pre-authenticated attacker to connect to a targeted system via RDP and sends crafted requests to trigger the execution of arbitrary code on the target system.

Another vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server.

MAS notes it will continue to work closely with financial institutions to monitor the cybersecurity developments and ensure that IT systems in the financial sector are safeguarded and remain resilient against cyber threats.

Read this next

Digital Assets

BlackRock digs further into crypto with metaverse ETF

BlackRock, the world’s largest asset manager with almost $10 trillion in AUM, is set to launch a new metaverse ETF to help investors securely monetize on the booming immersive version of the internet.

Digital Assets

Binance wins license in New Zealand as rival Huobi shutters derivatives

Binance, the world’s largest crypto exchange by traded volume, has obtained licenses to operate in New Zealand, even after rival Huobi shutdown derivatives trading last month due to concerns about regulations.

Retail FX

Hong Kong busts perpetrators of ‘ramp and dump’ scam

Hong Kong’s financial watchdog, the Securities and Futures Commission (SFC), has charged thirteen suspects of market manipulation in a joint operation with the local police.

Institutional FX

TradingView integrates market data from German Tradegate exchange

TradingView announced that it ‎has increased data coverage to allow its users to receive information from ‎and get free access to the intra-day and tick data from Tradegate Exchange.

Retail FX

Spotware Systems introduces Custom Push Notifications for cTrader mobile apps

Spotware Systems, a technology provider for the electronic trading industry, is introducing a new push notification feature to alert mobile users of price swings and market fluctuations through their cTrader app.

Market News

The Week Ahead: 30 September from David Madden, Market Analyst at Equiti Group

Sterling dominated the headlines last week, as there were concerns the UK government might struggle to service its debt.

Inside View

How does the quality of signal providers affect your business?

A must-have onboarding process for brokers with investment services like PAMM, MAM, or copy trading


DBS deploys Nasdaq Trade Surveillance

“The confidence that markets and our clients have in DBS as a safe and trusted banking group is anchored on our ability to detect and respond to anomalous activity, which in turn calls for a robust surveillance and prevention infrastructure.”

Industry News

SEC charges Justin Costello and David Ferraro for securities fraud and posing as billionaire veteran

The Securities and Exchange Commission charged Cannabis executive Justin Costello and David Ferraro, an associate of Costello’s, for promoting the stock of several microcap companies on social media without disclosing their own simultaneous stock sales as market prices rose.