Windows Security Flaw Discovered by NSA
The United States National Security Agency (NSA) has uncovered and exposed an extremely serious security flaw in Microsoft’s Windows 10 CryptoAPI service. Publicly announced by the intelligence agency, the vulnerability relates to cryptographic signatures, or the digitally generated certificates used to authenticate HTTPS connections, apps and executable code.
Described by expert security researcher Brian Krebs as being “extraordinarily serious”, left unpatched the bug could potentially allow malicious actors to spoof certificates and disguise malware or other nefarious pieces of software without the operating systems detection or users’ knowledge.
Made public on the 14th of January, Microsoft quickly worked to patch the Windows 10 Security Flaw, whilst advising systems administrators to deploy updates immediately. Stating that they do not believe this vulnerability has thus far been exploited, Microsoft also worked with managers of key internet infrastructure and military entities to secure networks prior to the flaw being announced.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable”
National Security Agency
The announcement of this exploit comes at a time when Microsoft are also ceasing updates to Windows 7. Initially released in 2009, the operating system will no longer be considered secure without patches and support being issued; users are strongly advised to update their systems and to move away from Windows 7.
As the most used operating system, Windows 10 if left unpatched, could have left over 900 million devices vulnerable to attack, again emphasising the importance of vulnerability testing and regular updates. Though it’s not known exactly when the vulnerability was discovered, it is believed that previous exploits, such as EternalBlue, were utilised by the agency for five years before being disclosed and fixed.
"[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing…when we identified a broad cryptographic vulnerability like this, we quickly turned to work with the company to ensure that they could mitigate it."
Anne Neuberger, NSA's Cybersecurity Directorate
Likely part of a new transparency initiative, the NSA has previously faced criticism for its security and intelligence gathering practices. With this disclosure, the agency is perhaps hoping to soften its image as well as contributing to industry best practices; similar to that of Google’s Project Zero, a security team dedicated to finding and safely exposing zero-day vulnerabilities.
As systems administrators work to secure networks, we are once again reminded of the vulnerabilities that threaten even the most modern and secure systems available. If exploited, vulnerability CVE-2020-0601 could have facilitated immeasurable damage and threatened the information security of individuals and organisations the world over.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.
Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.
Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.
How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.
The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.
Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security
In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.
Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.
Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.
All businesses know it's a threat, but how can you spot a spear-phishing email? Blog by Information Security awareness training provider Hut Six.