A major security flaw was discovered by the National Security Agency (NSA) today on various versions of Windows.
The NSA reported a security vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows.
The bug is a big problem for environments that rely on digital certificates to validate the software that machines run on because attackers can spoof the digital signature tied to pieces of software.
This opens a door to unsigned and malicious code to appear as legitimate software.
If left un-patched it could lead to potentially far-reaching security issues.
Security reporter Brian Krebs first revealed the extent of the flaw yesterday, warning of “potential issues with authentication on Windows desktops and servers.”
When the NSA reported the flaw to Microsoft, they urged them to patch it immediately, in specific prioritize systems that host critical infrastructures like VPN servers, DNS servers, and Domain controllers.
As soon as it was discovered, Microsoft marked the flaw as “important” despite the NSA’s urge to mark it as a “critical” priority.
Microsoft claims that they have not seen active exploitation of the flaw in the wild.
Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019 to take care of the issue.
Even though Microsoft did not mark this issue as critical, there is no reason to delay patching.
In its own advisory, the NSA warns that malicious attackers can reverse-engineer the fix to find the flaws in the un-patched systems, even more so now that this flaw had made major headlines.
They go on to state that:
“The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors,” says an NSA statement. “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
It is very uncommon for the NSA to report these types of vulnerabilities directly to Microsoft, but it is also not the first time the government agency has done so.
This is however the very first time that the NSA has allowed and accepted attribution from Microsoft on a vulnerability report.
According to Krebs: “Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed “Turn a New Leaf,” aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public.”
The NSA is urning Windows 10 users to do a software update immediately to patch the flaw and protect themselves from further vulnerabilities.