The news service said the U.S. National Security Agency, which quietly hunts for and tries to leverage software flaws it finds for spying, recently alerted Microsoft of the problem in Win10’s ability to verify digital signatures used to confirm if updates are legitimate.
If attackers can infiltrate Windows by using this hole it would mean computers around the world could be at risk.
Industry experts immediately praised the NSA for disclosing the flaw rather than exploiting it. The NSA has been widely criticized for apparently keeping secret a hacking tool for exploiting Windows bug in all versions dubbed EternalBlue. That vulnerability was unknown until the NSA was hacked and a number of exploits were stolen.
The NSA quietly told Microsoft of the bug and it issued a fix in March 2017. Shortly afterward a group calling itself the Shadow Brokers released the EternalBlue code, which led to others exploiting it.
“For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented,” said Amit Yoran, CEO of security vendor Tenable. “It underscores the criticality of the vulnerability and we urge all organizations to prioritize patching their systems quickly. The fact that Microsoft provided a fix in advance to the U.S. government and other customers that provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about. How long ago was the vulnerability discovered? How long did it take from discovery to reporting? Was it used by the NSA? Has it been observed being used by foreign intelligence services already? What triggered the vendor disclosure? None of these questions change what organizations need to do at this point to protect themselves, but their answers might tell us a lot more about the environment we operate in.”
On Monday there were early but unconfirmed reports of the problem.
Security reporter Brian Krebs said unnamed sources told him the vulnerability is in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.”
The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography and includes functionality for encrypting and decrypting data using digital certificates.
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA