Instead of keeping a potential hacking resource to itself, the US National Security Agency alerted Microsoft to a serious security flaw in the that could open computers to major breaches or surveillance. The NSA said the flaw is severe and that hackers will understand very quickly how to exploit it.
“The consequences of not patching the vulnerability are severe and widespread,” the NSA said in an advisory Tuesday.
Translation: Update your Microsoft systems immediately to avoid hacking.
Microsoft issued a patch Tuesday for the flaw, which was first reported by The Washington Post. The flaw affects devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Using the flaw, attackers could create an exploit that creates fake security certificates, giving them a free pass to run malicious software on Windows devices while looking legitimate to the system.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said in its description of the vulnerability.
In other words, if your computer’s security systems are like a bouncer in front of a nightclub, a spoofed security certificate is like a fake ID for sneaky malware, said Tenable cybersecurity researcher Satnam Narang. With the spoofed certificate, he said, malware “can enter the club, so to speak.”
Cybersecurity researchers also expressed concern Tuesday that the flaw could let attackers compromise communications secured with encryption as they travel from sender to recipient, something that relies on a protocol known as TLS. “If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model,” said Dmitri Alperovitch, CTO of cybersecurity firm Crowdstrike, on Twitter.
The company released this month’s updates and technical information as part of its regular Update Tuesday. It’s the first time Microsoft has credited the NSA for reporting a security flaw, according to security expert Brian Krebs.
The cooperation between the NSA and Microsoft is a promising development, said Michael Kaiser, former executive director of the National Cyber Security Alliance. As part of his work, Kaiser helped small- and medium-sized businesses address cybersecurity, and he says the level of trust and sharing between businesses and government was very low 10 years ago. This could be a sign that things are improving.
“You can’t make the world more secure unless you share these kinds of things,” Kaiser said.
Microsoft said in its description of the vulnerability that it hasn’t seen active exploitation of the flaw. The NSA has previously developed hacking tools using flaws in Microsoft systems, including an exploit called Eternal Blue. The NSA’s exploit wasand used by criminals in a series of ransomware attacks and beyond.
Originally published Jan. 14, 8:17 a.m. PT.
Updates, 8:34 a.m.: Adds comment from Microsoft and more background; 10:24 a.m.: Includes confirmation from Microsoft that NSA reported the vulnerability; 10:52 a.m.: Adds confirmation from NSA that it reported vulnerability; 11:34 a.m.: Includes comment from Michael Kaiser; 12:30 p.m.: Adds information about the vulnerability and quote from Satnam Narang.