Windows Security Flaw Discovered by NSA

The United States National Security Agency (NSA) has uncovered and exposed an extremely serious security flaw in Microsoft’s Windows 10 CryptoAPI service. Publicly announced by the intelligence agency, the vulnerability relates to cryptographic signatures, or the digitally generated certificates used to authenticate HTTPS connections, apps and executable code.

Described by expert security researcher Brian Krebs as being “extraordinarily serious”, left unpatched the bug could potentially allow malicious actors to spoof certificates and disguise malware or other nefarious pieces of software without the operating systems detection or users’ knowledge.

Made public on the 14th of January, Microsoft quickly worked to patch the Windows 10 Security Flaw, whilst advising systems administrators to deploy updates immediately. Stating that they do not believe this vulnerability has thus far been exploited, Microsoft also worked with managers of key internet infrastructure and military entities to secure networks prior to the flaw being announced.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable”

National Security Agency

The announcement of this exploit comes at a time when Microsoft are also ceasing updates to Windows 7. Initially released in 2009, the operating system will no longer be considered secure without patches and support being issued; users are strongly advised to update their systems and to move away from Windows 7.

As the most used operating system, Windows 10 if left unpatched, could have left over 900 million devices vulnerable to attack, again emphasising the importance of vulnerability testing and regular updates. Though it’s not known exactly when the vulnerability was discovered, it is believed that previous exploits, such as EternalBlue, were utilised by the agency for five years before being disclosed and fixed.

"[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing…when we identified a broad cryptographic vulnerability like this, we quickly turned to work with the company to ensure that they could mitigate it."

Anne Neuberger, NSA's Cybersecurity Directorate

Likely part of a new transparency initiative, the NSA has previously faced criticism for its security and intelligence gathering practices. With this disclosure, the agency is perhaps hoping to soften its image as well as contributing to industry best practices; similar to that of Google’s Project Zero, a security team dedicated to finding and safely exposing zero-day vulnerabilities.

As systems administrators work to secure networks, we are once again reminded of the vulnerabilities that threaten even the most modern and secure systems available. If exploited, vulnerability CVE-2020-0601 could have facilitated immeasurable damage and threatened the information security of individuals and organisations the world over.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.

Featured

WiFi Network Security

Top 5 WiFi Safety Tips: The Guide to Staying Secure

How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.

Travelex Ransomware Attack

Travelex Ransomware Attack Enters Its Third Week

Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.

Malware and Stalkerware Pandemic

Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps

Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.

Phishing Simulation for Employees

Sending Simulated Phishing Attacks to Employees

How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.

The CIA Triangle in Information Security

Information Security Principles: What is the CIA Triad?

The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.

Trusting HTTPS and SSL Certificates

Suspicious Certificates, Transparency and HTTPS

Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security

UK Government and ICO Cryptojacked

Information Commissioner’s Office Mining Crypto

In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.

What to do if you've fallen victim to spear phishing

Spear Phishing Series Part 3: What to do if You’ve Been Phished

Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.

Confirmation of Payee - APP Scams

Will Confirmation of Payee Reduce APP Scams?

Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.

Spear Phishing Indicators

Spear Phishing Series Part 2: How to Spot a Spear-Phishing Email

All businesses know it's a threat, but how can you spot a spear-phishing email? Blog by Information Security awareness training provider Hut Six.