National Security Agency finds ‘extraordinarily serious security vulnerability’ in Microsoft’s Windows 10 that could affect 900 million users – and tells tech giant rather than weaponizing the flaw


Convert Text to Speech

Stacy Liberatore | The Daily Mail | Source URL

The National Security Agency (NSA) is starting the year off on the right foot by alerting Microsoft to a flaw in its Windows 10 operating system, instead of secretly weaponizing it.

The intelligence agency discovered 'an extraordinarily serious security vulnerability' that could spoof the digital signature of software that could trick a PC into letting malware in that is posing as a legitimate application.

The bug was uncovered in NSA's own research and by disclosing this information to the tech giant, the agency believes it is putting 'computer security ahead' of its own agenda.

The NSA came under fire five years ago for weaponizing a less sever flaw found in Microsoft's technology, dubbed EternalBlue, that was said to be like 'fishing with dynamite', according to The Washington Post. 

Cybercriminals stole the hacking tools from the NSA, launching massive ransomware campaigns – one specifically was WannaCry.

This major extortion scheme hit 150 countries including the US, Britain, Russia, China, Germany and France, and affected 200,000 different companies.

'As regards the source of these threats, I believe that the leadership of Microsoft have announced this plainly, that the initial source of the virus is the intelligence services of the United States,' Putin said.

'Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators,' he told reporters in Beijing.

Chinese state media said 29,372 of their institutions had been infected, along with hundreds of thousands of devices.

The Japan Computer Emergency Response Team Co-ordination Center, a non-profit organisation providing support for computer attacks, said 2,000 computers at 600 locations in Japan were reported affected so far.

Shortly after EternalBlue was compromised, another NSA tool called EsteemAudit, was also breached.

This hack took advantage of a vulnerability in Microsoft's Remote Desktop Protocol in Windows 2003 and Windows XP, allowing an attacker to install and execute malicious code on hundreds of thousands of computers.

Microsoft Corp President Brad Smith sharply criticized the US government in 2017 for 'stockpiling' software flaws that it often cannot protect, citing recent leaks of both NSA and CIA hacking tools.

Symantec researcher explains WannaCry cyber attack origins

'Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,' Smith wrote in a blog post.

'An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.'

However, Anne Neuberger, NSA director of Cybersecurity, held a press conference today stating that the agency did report the vulnerability and that 'this was the first time Microsoft will have credited NSA for reporting a security flaw.'

Computer security expert Dmitri Alperovitch wrote in a tweet Tuesday : 'Big kudos to NSA for voluntarily disclosing to Microsoft.'

'This is the type of [vulnerability] I am sure the [NSA hackers] would have loved to use for years to come.'

Brian Krebs with KrebsonScurity shared Neuberger stated that the problem only exists within Windows 10 and Windows Server 2016.

The flaw, according to Krebs, could have implications on a range of functions including authentication on Windows desktops and servers, the protection of sensitive data handled by Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Microsoft released a free software patch to fix the flaw this afternoon and said it has not seen any evidence that hackers have used the technique.

Amit Yoran, CEO of security firm Tenable, said it is 'exceptionally rare if not unprecedented' for the U.S. government to share its discovery of such a critical vulnerability with a company.

Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.

An advisory sent by the NSA on Tuesday said 'the consequences of not patching the vulnerability are severe and widespread.'

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," the company said.

If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information it intercepts on user connections, the company said.

Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *