Authorization

Microsoft and NSA say a security bug affects millions of Windows 10 computers

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.
The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.
CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.
Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”
Independent security journalist Brian Krebs first reported details of the bug.
The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.
Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.
Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.


“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«    Сентябрь 2020    »
ПнВтСрЧтПтСбВс
 123456
78910111213
14151617181920
21222324252627
282930