The National Security Agency (NSA) has discovered a dangerous vulnerability in Microsoft Windows that could expose users to theft of their confidential data.
In a surprising departure from prior policy, the NSA reported the flaw to the vendor rather than keeping it quiet and pocketing it as a cyber weapon. The Washington Post first reported the NSA’s discovery on Tuesday, January 14, 2020.
Microsoft, in its regular Tuesday delivery of security patches to users that included a fix for the bug, said in an alert that cyber attackers “could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.”
A user, Microsoft said, wouldn’t be able to detect the malicious file because the digital signature would look as though it was from a trusted source. An attacker could also exploit the flaw to deliver so-called man-the-middle hacks, the vendor said. KrebsonSecurity reported that Microsoft on Monday quietly shipped a patch to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure.
Windows Security Flaw: MSSP Implications
For managed security service providers (MSSPs) a discovery of this magnitude is worthy of alarm bells going off to customers for the data breaches and other havoc it could bring.
The NSA’s reaction to finding the exploit stands in contrast to its recent history of closeting such discoveries to add to its hacking tool chest. For example, the devastating 2017 WannaCry malware used a strain of EternalBlue, a vulnerability in Microsoft’s Server Message Block protocol stolen from the NSA by the notorious Shadow Broker hackers to infect more than 300,000 computers globally. The NotPetya ransomware assault also banked on Eternal Blue. And, in 2016, Chinese state-backed spies recovered NSA hacking tools, including Eternal Blue, from an attack on its systems, reverse engineered the code and hit targets in Europe and Asia.
But apparently this is a new day. The NSA produced its own cybersecurity advisory this time around: “NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.”
And, the Community Emergency Response Team’s (CERT) advisory is here.
Windows Security Flaw: More Perspectives
Security vendors quickly weighed in on the NSA’s action. “For the U.S. government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented,” said Amit Yoran, Tenable’s chief executive and the founding director of the Department of Homeland Security’s US-CERT program. “It underscores the criticality of the vulnerability and we urge all organizations to prioritize patching their systems quickly. The fact that Microsoft provided a fix in advance to the US government and other customers that provide critical infrastructure is also highly unusual, Yoran said.