Microsoft Notifies Security Bug on Windows 10

Initially identified by the National Security Agency, the bug has reportedly made hundreds of millions of computers across the world vulnerable

 

Beware! Windows 10 users – there’s a bug on the prowl and in case you get a security patch from Microsoft, we suggest that you immediately run it as the company has warned that millions of computers running Windows 10 could become vulnerable due to a problem in a decades-old cryptographic component.

The component known as the CryptoAPI performs a series of functions that allow developers to digitally sign their software to prove their invulnerability. However, the latest bug could have allowed attackers to copy the software, thus making it easier to run malware (or ransomware) on a vulnerable PC or laptop, says a post on the Microsoft blog.

The existence of this “spoofing vulnerability”, means that “attackers can exploit it through the use of a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

Microsoft says that a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software and adds that the latest security patch addresses this vulnerability by ensuring that Windows CryptoAPI completely validates the Elliptic Curve Cryptography certificates.

 

A report published in TechCrunch.com quoted an advisory from the CERT-CC vulnerability disclosure centre at Carnegie Mellon University to suggest that the latest bug could also be used to intercept and modify HTTPS communications, though Microsoft claims it has till date found no evidence of the bug having been actively exploited.

The report further quoted National Security Agency official Anne Neuberger to suggest that once they discovered the vulnerability, it went through a due governmental process to discuss whether it should be retained for use in security operations or disclosed to the vendor. It may be recalled that the NSA had reportedly used an earlier vulnerability for surveillance without actually alerting Microsoft.

The NSA had created the EternalBlue as a means to conduct secret surveillance but once it got leaked across the board, it ended up infecting thousands of computers with the WannaCry malware that caused damage worth millions of dollars.

This time round, the NSA immediately pointed out the security flaw to Microsoft which has reportedly released patches that covers Windows 10 and Windows Server 2016 – both hardware used by the US government, military and several top enterprises in the world.

Reports also claimed that this time round, Microsoft kept a tight leash on how many in the ecosystem had knowledge of the vulnerabilities as it did not want to spread chaos amongst the users before the patch was readied and shipped out online for download.

The severity of the situation prompted formal communications from US authorities who sounded an alert via the Cybersecurity and Infrastructure Security Agency and followed it up with an emergency directive from the Department of Homeland Security and another advisory from the NSA.

 “The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” said the agency.

For those readers interesting to know what made up the latest patch, check out this table provided by the SANS Technology Institute.


TAGS: Microsoft, Windows 10, Security, Ransomware, NSA, Cybersecurity, Security patches, Patch