The NSA tells Microsoft about the critical failure of Windows cryptography

NSA headquarters in Fort Meade, Maryland.
Photo: Patrick Semansky (AP)

The National Security Agency revealed a great vulnerability in the latest version of Windows 10 and Windows Server 2016 for Microsoft, which released a solution for the problem on Tuesday, the MIT Technology Review reported.

The NSA took the unusual step (for an intelligence agency) of issuing a press release in this regard, writing the critical vulnerability affected Windows central cryptographic functionality and would allow “attackers to defeat reliable network connections and deliver executable code while appearing as legitimately reliable entities.” That could compromise security features, including HTTPS connections, signed files and emails, and “signed executable code released as user mode processes,” according to the NSA.

The NSA added in the statement that “it assesses vulnerability as severe and that cyber sophisticated actors will understand the underlying flaw very quickly and, if exploited, would make the aforementioned platforms fundamentally vulnerable.” However, he said he had no evidence that someone had really capitalized on the vulnerability. Microsoft also said he had not seen anything that led him to believe that the vulnerability has been successfully exploited in nature, the MIT Technology Review wrote.

The launch of the NSA also contained a guide for network administrators to prevent and detect possible uses of the vulnerability, as well as urging them to prioritize “endpoint patches that provide essential or widely answered services.” He added that administrators should also prioritize the “directly exposed to the Internet” endpoints or that are routinely used by people with administrative privileges.

Cybersecurity blogger Brian Krebs mentioned rumors Microsoft hastened to fix a problem with crypt32.dll, the Windows module that handles cryptography, on Monday. Krebs sources said the vulnerability could be used to counterfeit digital signatures linked to specific software compilations, allowing attackers to trick users into believing that malware-infected programs are legitimate software. NSA’s director of cybersecurity, Anne Neuberger, told reporters that this was the first time Microsoft publicly accredited the agency for detecting a software flaw, according to Krebs.

It is difficult to underestimate the potential impact of this error, which could allow attackers to get control of hundreds of millions of machines running Windows 10 or Windows Server 2016. MongoDB Security Director and Open Crypto Audit Project Director he told wired It could have had “catastrophic consequences,” depending on “what scenarios and prerequisites are required, we are still analyzing.” Former NSA staff member and founder of Rendition Infosec, Jake Williams he told TechCrunch which was suitable for state espionage purposes and essentially acted as “a master key to bypass any number of endpoint security controls.” Both the NSA and Microsoft maintained strict control over the vulnerability, sources told TechCrunch, and released patches for government, military and industry organizations before the patch was released to the general public on Tuesday.

MIT Technology Review reported that this seems to be part of a change from the previous NSA practice to simply record the error and exploit it for intelligence purposes for cyber defense. The NSA launched a Cybersecurity Directorate At the end of last year, with the stated intention of aligning defensive cybersecurity with its foreign intelligence gathering operations and protecting US industrial and defense networks. UU. of the intrusion. It probably doesn’t hurt that fixing the mistake can help rehabilitate the NSA’s reputation after the fiasco of EternalBlue, in which a filtered NSA exploit was used to enable ransomware waves across the globe.

“We want a new approach to sharing, to build trust with the cybersecurity community,” Neuberger told reporters, according to the MIT Technology Review. “This is a key aspect of that.”

“One part of building trust is showing the data,” Neuberger added. “We have sent vulnerabilities for a long time, but we have never allowed attribution and, as a result, it is difficult for entities to trust us.” The second part of the decision is that we want to take a step forward to advise critical infrastructure networks, to raise awareness. To do this, we knew we had to be very transparent about it. ”

However, make no mistake; the NSA will continue to accumulate zero days and take advantage of them as necessary to achieve its objectives, “Rick Holland, director of information security at Digital Shadows, based in San Francisco, he told the Guardian.


Leave a Reply

Your email address will not be published. Required fields are marked *