Microsoft today released a patch for Windows 10 and Server 2016 after the National Security Agency identified and identified a serious vulnerability. It is a rare, but unprecedented, clue that underlines the severity of the error – and may indicate new priorities for the NSA.
The error lies in the Windows mechanism to confirm the legitimacy of software or to establish secure web connections. If the scan itself is not trustworthy, attackers can take advantage of this to remotely spread malware or intercept sensitive information.
"[We are] We recommend that network owners accelerate the patch implementation immediately, as we will," said Anne Neuberger, head of the NSA Directorate for Cyber Security, said on Tuesday when calling reporters. "When we discovered a wide cryptographic vulnerability like this, we quickly contacted the company to make sure it could be fixed."
"It will be a long day for many Windows administrators around the world." [1
The error lies specifically in the CryptoAPI service from Microsoft, with which developers can "sign" cryptographically software and data or generate digital certificates for authentication of users' devices. An attacker could potentially exploit the bug to undermine important protective measures and ultimately take control of the victims' devices.
TrustedSec valuation firm, which previously worked at the NSA. "That would completely avoid so many protective measures."
As researchers and cyber criminals alike investigate vulnerability and hurry to develop a hacking tool that takes advantage of it, the level of risk to users is becoming clearer. However, a bug in a critical cryptographic component of Windows is undoubtedly problematic, especially given that Windows 10 is the most widely used operating system in the world and is installed on more than 900 million PCs. "This is a core part of the low-level Windows operating system and builds trust between administrators, regular users, and other computers on both the local network and the Internet," said Kenn White, security chief at MongoDB and director of the Open Crypto Audit project. "If the technology that makes trust vulnerable could have catastrophic consequences. But we are still analyzing exactly what scenarios and prerequisites are required. It will be a long day for many Windows administrators around the world."
] NSA's decision to share the vulnerability is reminiscent of the Eternal Blue NSA hacking tool, which exploited a Windows bug patched in early 2017. This bug was present in all versions of Windows available at the time, and the NSA had been aware of the bug – and used it for digital espionage – for more than five years. Eventually the NSA lost control of Eternal Blue; A few weeks after Microsoft released an update, a mysterious hacking group known as Shadow Brokers leaked the tool online. Criminals and nationwide hackers had a great day using the tool when Windows computers around the world were slowly coming to patch.
The Windows 10 validation error could be the NSA's attempt to avoid a similar debacle. And unlike Eternal Blue, Neuberger made it clear that the agency had not used the exploit itself.
Neuberger said that the code verification error disclosure for Microsoft and the public is part of a new NSA initiative in which the agency shares its vulnerability results faster and more often. Efforts will be carried out alongside the National Security Council's existing Vulnerability Equities process, which balances the national security importance of hacking tool secrecy versus vulnerability disclosure publicly. "It is hard for companies to trust that we really take this seriously," she said, "and [that] making sure that vulnerabilities can be mitigated is a top priority."