Microsoft is fixing a serious flaw in several versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft’s handling of the certificate and cryptographic messaging functions in Windows. The flaw, which has not been marked as critical by Microsoft, could allow attackers to forge the digital signature linked to pieces of software, allowing malicious and unsigned code to impersonate legitimate software.
The error is a problem for environments that rely on digital certificates to validate the software running machines, a potentially powerful security problem if it is not repaired. The NSA recently reported the failure to Microsoft, and recommends that companies repair it immediately or prioritize systems that host critical infrastructure such as domain controllers, VPN servers or DNS servers. Security reporter Brian Krebs first revealed the extent of the failure yesterday, warning of possible problems with authentication on Windows desktops and servers.
Microsoft is now repairing Windows 10, Windows Server 2016 and Windows Server 2019. The software giant says it has not seen an active exploitation of the fault in nature, and has marked it as “important” and not as the “critical” level higher. It uses for major security flaws. However, that is not a reason to delay patching. Malicious actors will inevitably reverse engineer the solution to discover the fault and use it on systems without patches.
The NSA warns exactly that in its own notice and suggests that this is an important vulnerability even though Microsoft does not qualify it as critical. “The vulnerability puts Windows endpoints at risk for a wide range of exploitation vectors,” says an NSA statement. “The NSA assesses that the vulnerability is severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, the platforms mentioned above would be fundamentally vulnerable.”
It is unusual to see the NSA report this type of vulnerability directly to Microsoft, but it is not the first time that the government agency does. Is it is However, the first time the NSA has accepted Microsoft’s attribution for a vulnerability report. Krebs claims It is part of a new initiative to make agency research available to software vendors and the public.
An earlier NSA exploit targeting the Windows file-sharing protocol, called EternalBlue, leaked two years ago and caused widespread damage. He led WannaCry ransomware and other variants that block the computers of the National Health Service of the United Kingdom to the Russian Interior Ministry. Microsoft was forced to issue an emergency patch for Windows XP, even though the operating system had reached the end of support.
Update, January 14 at 2 p.m. ET: Article updated with NSA statement.