
The National Security Agency (NSA) recently took the unprecedented step of promptly alerting Microsoft to a flaw it spotted in the Windows 10 operating system.
The U.S. intelligence agency has historically opted to weaponize vulnerabilities discovered in a vendor’s software for offensive purposes, mostly notably when it exploited a Microsoft flaw for more than a half-decade by creating a hacking tool called Eternal Blue. But this time around, the NSA opted to promptly disclose the issue to Microsoft, making it possible for the vendor to expeditiously issue a patch.
“This is…a change in approach…by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” NSA Cybersecurity Directorate Director Anne Neuberger is quoted as saying in the Washington Post.
[Related: Microsoft Issues Emergency Security Patch For Internet Explorer Flaw]
The vulnerability discovered by the NSA allows an attacker to undermine how Windows 10 and Windows Server 2016/2019 verify cryptographic trust. As a result, the NSA said adversaries are able to craft certificates that spoof trusted web sites, software companies or service providers and then leverage that trust to compromise users or services on vulnerable systems.
“Sophisticated cyber actors will understand the flaw very quickly and, if exploited, would render the previously mentioned platforms are fundamentally vulnerable,” the NSA said in a cybersecurity advisory Tuesday. “The consequences of not patching the vulnerability are severe and widespread.”
The security flaw leaves Windows vulnerable to a broad range of exploitation vectors, and the NSA expects remote exploitation tools to quickly become widely available. Rapid adoption of the patch on all Windows 10 and Windows Server 2016/2019 systems is the only known mitigation for the vulnerability, and the NSA recommended that network owners make that their primary focus.
“This vulnerability may not seem flashy, but it’s a critical issue,” Neal Ziring, technical director of the NSA’s Cybersecurity Directorate, wrote in a blog post. “Trust mechanisms are the foundations on which the Internet operates, and [this vulnerability] permits a sophisticated threat actor to subvert those very foundations.”
An attacker can exploit this vulnerability by using a spoofed code-signing certificate, Microsoft said, making it appear as if the file was from a trusted, legitimate source. Microsoft said the user would have no way of knowing the file was malicious since the signature would appear to be from a trusted provider.
In addition, Microsoft said a successful exploit would allow the attacker to conduct man-in-the-middle operations. Decrypting the confidential information would therefore be possible when a user is connected to the affected software, according to Microsoft.
Microsoft hasn’t identified any mitigation factors or workarounds for this vulnerability, and has classified the flaw as “exploitation more likely.” This means that Microsoft is both aware of past instances of this type of vulnerability being exploited and believes the exploit code could be created in a way that allows an attacker to consistently exploit this vulnerability.
If enterprise-wide, automated patching isn’t possible, the NSA recommends that system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Prioritization should also be given to endpoints that are more likely to be exploited due to their exposure to the internet or their regular use by privileged users, according to the NSA.
Although network devices and endpoint logging features can detect or prevent certain methods of exploitation, the NSA said the most effective mitigation is installing all patches. When possible, the NSA recommends applying patches to all affected endpoints rather than prioritizing specific classes of endpoints.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

EPOS
EPOS

HubStor
Cloud Backup 360

Fujifilm
Fujifilm

Dell Technologies
Dell Technologies Storage Learning Center

Mimecast
Mimecast

Comcast
Comcast Business Learning Center

Carbonite
Cloud Storage 360

Application Integration 360

Hitachi Vantara
Hitachi Vantara

Sophos
Sophos Cybersecurity Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Trend Micro
Managed Security 360

Tenable
Cyber Risk 360

Webroot
Webroot Learning Center

NPD
Industry Trends 360

BlackBerry
BlackBerry Learning Center

Symantec
Symantec Business Security Learning Center

Sherweb
Sherweb

Acer
Remote Workforce 360

APC by Schneider Electric
Digital Services for Edge Learning Center

VMware

Channel Chief Showcase

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Trend Micro
Trend Micro Learning Center

Comm100
Collaboration & Communications 360

Veeam
Veeam

eSentire
Managed Detection and Response 360
