US Intelligence Agency Warns About Windows 10 Security Flaw; 80 Crore Users Can Be Impacted
On 14 January, Microsoft released a patch for Windows 10 and Server 2016 after the National Security Agency found and disclosed a serious vulnerability.
How Did This Happen?
Because the verification check itself isn’t trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data.
There is a flaw, specifically in Microsoft’s CryptoAPI service, which helps developers cryptographically “sign” software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users’ devices.
With the current findings, an attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices.
What Does NASA Suggest?
On Tuesday, Anne Neuberger, head of the NSA’s Cybersecurity Directorate, said “[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing,”.
“When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it,” she said.
Giving more information on the subject, Neuberger said that disclosing the code verification bug to Microsoft and the public is part of a new NSA initiative in which the agency will share its vulnerability findings more quickly and more often.
She added that the effort will work alongside the existing Vulnerability Equities Process run by the National Security Council, which weighs the national security importance of keeping hacking tools secret versus disclosing vulnerabilities.
That’s the reason, NSA didn’t just disclose the vulnerability, but made its role public. “It’s hard for entities to trust that we indeed take this seriously,” she said, “and [that] ensuring that vulnerabilities can be mitigated is an absolute priority.”
How Critical The Vulnerability Is?
CEO of the corporate security evaluation firm TrustedSec, David Kennedy said “Think of signing malware as if it’s trusted by Microsoft or intercepting encrypted web traffic, that would completely evade so many protections”. He formerly worked at the NSA.
Usually, researchers and cybercriminals both study the vulnerability and rush to develop a hacking tool that takes advantage of it, the scale of the risk to users will become more clear.
However, a flaw in a crucial cryptographic component of Windows is certainly problematic, especially given that Windows 10 is the most-used operating system in the world, installed on more than 900 million PCs.
security principal at MongoDB and director of the Open Crypto Audit Project, Kenn White said “This is a core, low-level piece of the Windows operating system and one that establishes trust between administrators, regular users, and other computers on both the local network and the internet,”.
“If the technology that ensures that trust is vulnerable, there could be catastrophic consequences. But precisely what scenarios and preconditions are required—we’re still analyzing. It will be a long day for a lot of Windows administrators around the world,” he added.
It’s not the first time, before this the Eternal Blue fiasco happened in 2017 then also NSA faced major criticism for its practice of hoarding vulnerabilities for its own exploitation rather than disclosing them so they could be fixed.
Though NSA has disclosed this bug that doesn’t mean that the NSA is going to give up its whole arsenal of hacking tools, nor should it.
However, the move toward transparency is a welcome step, even if it also serves as NSA image rehab.