Microsoft & NSA Confirm Killer Windows 10 Security Flaw, Patch Released

Article Courtesy of CNET

Instead of keeping a potential hacking resource to itself, the US National Security Agency alerted Microsoft to a serious security flaw in the Windows 10 operating system that could open computers to major breaches or surveillance. The NSA said the flaw is severe and that hackers will understand very quickly how to exploit it.

“The consequences of not patching the vulnerability are severe and widespread,” the NSA said in an advisory Tuesday.

Translation: Update your Microsoft systems immediately to avoid hacking.

Microsoft issued a patch Tuesday for the flaw, which was first reported by The Washington Post. The flaw affects devices running the Windows 10 operating system, as well as the Windows Server 2016 and 2019 operating systems. Using the flaw, attackers could create an exploit that creates fake security certificates, giving them a free pass to run malicious software on Windows devices while looking legitimate to the system.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said in its description of the vulnerability.

In other words, if your computer’s security systems are like a bouncer in front of a nightclub, a spoofed security certificate is like a fake ID for sneaky malware, said Tenable cybersecurity researcher Satnam Narang. With the spoofed certificate, he said, malware “can enter the club, so to speak.”

Cybersecurity researchers also expressed concern Tuesday that the flaw could let attackers compromise communications secured with encryption as they travel from sender to recipient, something that relies on a protocol known as TLS. “If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model,” said Dmitri Alperovitch, CTO of cybersecurity firm Crowdstrike, on Twitter.

If you are a developer of an app that’s using TLS, I would also be thinking hard right now about the impact of this issue on your threat model https://t.co/WmSvlCqOAi

— Dmitri Alperovitch (@DAlperovitch) January 14, 2020

The company released this month’s updates and technical information as part of its regular Update Tuesday. It’s the first time Microsoft has credited the NSA for reporting a security flaw, according to security expert Brian Krebs.

The cooperation between the NSA and Microsoft is a promising development, said Michael Kaiser, former executive director of the National Cyber Security Alliance. As part of his work, Kaiser helped small- and medium-sized businesses address cybersecurity, and he says the level of trust and sharing between businesses and government was very low 10 years ago. This could be a sign that things are improving.

“You can’t make the world more secure unless you share these kinds of things,” Kaiser said.

Microsoft said in its description of the vulnerability that it hasn’t seen active exploitation of the flaw. The NSA has previously developed hacking tools using flaws in Microsoft systems, including an exploit called Eternal Blue. The NSA’s exploit was stolen by hackers and used by criminals in a series of ransomware attacks that hit cities in the US and beyond.

News of Tuesday’s security flaw comes the same day that Microsoft is ending support for Windows 7. The company has encouraged people to upgrade to Windows 10 to keep their PCs and laptops secure.

 

To install the latest Windows 10 Security Patch, follow the steps below or contact our Team for assistance.

Update Windows 10

Check for Windows Updates