NSA trying to rehabilitate itself post-Snowden?
It is a bug in ECC certificate validation. MS insists it only affects code signing certs and comms intercepts are limited to the rogue application (unlike the NSA's claimed wholesale snooping.)
Not a good thing but given the general clusterfsck that is commercial application code signing, I don't see it having a huge impact beyond the existing mayhem.