The NSA reported a major Windows 10 security flaw the same day Windows 7 support ended


Microsoft issued a patch on Tuesday for a major Windows flaw found by the NSA.

Ian Knighton / CNET

Instead of maintaining a potential piracy resource for itself, the US National Security Agency. UU. He alerted Microsoft about a serious security flaw in the Windows 10 operating system That could open computers to major infractions or surveillance. The NSA said the flaw is severe and that hackers will understand very quickly how to exploit it.

"The consequences of not repairing the vulnerability are serious and widespread," the NSA said in a notice Tuesday.

Translation: Update your Microsoft systems immediately to avoid piracy.

Microsoft issued a patch on Tuesday for the bug, which was first reported by The Washington Post. The flaw affects the devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Using the flaw, attackers could create an exploit that creates fake security certificates, giving them a free pass to run software malicious on Windows devices while looking legitimate for the system.

"The user would have no way of knowing that the file was malicious, because the digital signature would appear to be from a reliable provider," Microsoft said in its description of the vulnerability.

In other words, if your computer's security systems are like a doorman in front of a nightclub, a counterfeit security certificate is like a fake ID for malicious malware, said Tenable Cyber ​​Security Investigator Satnam Narang. With the forged certificate, he said, malware "can enter the club, so to speak."

Cybersecurity investigators also expressed concern on Tuesday about the failure that could allow attackers to compromise secured communications with encryption while traveling from sender to receiver, something that is based on a protocol known as TLS. "If you are a developer of an application that uses TLS, you would also be thinking a lot about the impact of this problem on your threat model," said Dmitri Alperovitch, CTO of the cybersecurity firm Crowdstrike, on Twitter.

The company released updates and technical information this month as part of its regular update on Tuesday. It is the first time that Microsoft accredits the NSA for reporting a security flaw, according to security expert Brian Krebs.

The cooperation between the NSA and Microsoft is a promising development, said Michael Kaiser, former executive director of the National Cyber ​​Security Alliance. As part of his work, Kaiser helped small and medium-sized businesses address cybersecurity, and says the level of trust and exchange between companies and the government was very low 10 years ago. This could be a sign that things are improving.

"You can't make the world safer unless you share this kind of thing," said Kaiser.

Microsoft said in its description of the vulnerability that it has not seen an active exploitation of the fault. The NSA has previously developed hacking tools using failures in Microsoft systems, including an exploit called Eternal Blue. The feat of the NSA was stolen by hackers and used by criminals in a series of ransomware attacks that hit cities in the United States and beyond.

The news of Tuesday’s security flaw comes the same day Microsoft is termination of support for Windows 7. The company has encouraged people to upgrade to Windows 10 to keep their PCs and laptops safe.

Originally published on January 14 at 8:17 a.m. PT.
Updates, 8:34 a.m .: Add comments from Microsoft and more background; 10:24 a.m .: It includes Microsoft's confirmation that the NSA reported the vulnerability; 10:52 a.m .: Add confirmation from the NSA that it reported vulnerability; 11:34 a.m .: Includes comment from Michael Kaiser; 12:30 pm.: Add information about the vulnerability and appointment of Satnam Narang.


Please enter your comment!
Please enter your name here