NSA finds ‘severe’ security flaw in Microsoft Windows 10, apparently didn’t exploit it
- Marks first time the NSA has publicly claimed credit for prompting a software security update
- Microsoft released a free software patch to fix the flaw Tuesday
The National Security Agency (NSA) has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.
But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
Microsoft released a free software patch to fix the flaw Tuesday and credited the intelligence agency for discovering it. The company said it has not seen any evidence that hackers have used the technique.
US$5 million reward offered for ‘Evil Corp’ hacker Maksim Yakubets, who has Russian spy links
Amit Yoran, CEO of security firm Tenable, said it is “exceptionally rare if not unprecedented” for the US government to share its discovery of such a critical vulnerability with a company.
Yoran, who was a founding director of the Department of Homeland Security’s computer emergency readiness team, urged all organisations to prioritise patching their systems quickly.
An advisory sent by the NSA on Tuesday said “the consequences of not patching the vulnerability are severe and widespread”.
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.
If successfully exploited, attackers would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information they intercept on user connections, the company said.
Hacker used US$35 Raspberry Pi computer to steal restricted Nasa data
“The biggest risk is to secure communications,” said Adam Meyers, vice-president of intelligence for security firm CrowdStrike.
Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.
The agency shared the vulnerability with Microsoft “quickly and responsibly”, Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post Tuesday.
Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this was a good example of the “constructive role” that the NSA can play in improving global information security. Moriuchi, now an analyst at the US cybersecurity firm Recorded Future, said it’s likely a reflection of changes made in 2017 to how the US determines whether to disclose a major vulnerability or exploit it for intelligence purposes.
WhatsApp sues Israeli firm NSO for ‘helping spies hack phones with video calls’
The disclosure appears to represent an improvement in relations between Microsoft and the NSA, which previously secretly collected security exploits of Microsoft’s Windows to use the tools for its own hacks.
Details of the practice became public in 2017 when a group known as the Shadow Brokers obtained and published the NSA’s tools, leading to an emergency for Microsoft as the company rushed to patch the “zero day” exploits. One month later, Microsoft blamed the NSA exploits for the global spread of malicious software called “WannaCrypt”. Additional reporting by Bloomberg and Reuters