Microsoft patches Windows 10 security flaw discovered by the NSA
4Reported today on The Verge
For the full article visit: https://www.theverge.com/2020/1/14/21065563/microsoft-windows-security-flaw-nsa-patch-attribution-cryptography-update
Reported today in The Verge.
Microsoft patches Windows 10 security flaw discovered by the NSA
Microsoft is patching a serious flaw in various versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft's handling of certificate and cryptographic messaging functions in Windows. The flaw, which hasn't been marked critical by Microsoft, could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.
The bug is a problem for environments that rely on digital certificates to validate the software that machines run, a potentially far-reaching security issue if left unpatched. The NSA reported the flaw to Microsoft recently, and it's recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers. Security reporter Brian Krebs first revealed the extent of the flaw yesterday, warning of potential issues with authentication on Windows desktops and servers.
Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019. The software giant says it has not seen active exploitation of the flaw in the wild, and it has marked it as "important" and not the highest "critical" level that it uses for major security flaws. That's not a reason to delay patching, though. Malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.
It's unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it's not the first time the government agency has done so. This is the first time the NSA has accepted attribution from Microsoft for a vulnerabili