08:17 17th Jan, 2020
Microsoft Notifies Security Bug on Windows 10
Initially identified by the National Security Agency, the bug has reportedly made hundreds of millions of computers across the world vulnerable
Beware! Windows 10 users – there’s a bug on the prowl and in case you get a security patch from Microsoft, we suggest that you immediately run it as the company has warned that millions of computers running Windows 10 could become vulnerable due to a problem in a decades-old cryptographic component.
The component known as the CryptoAPI performs a series of functions that allow developers to digitally sign their software to prove their invulnerability. However, the latest bug could have allowed attackers to copy the software, thus making it easier to run malware (or ransomware) on a vulnerable PC or laptop, says a post on the Microsoft blog.
The existence of this “spoofing vulnerability”, means that “attackers can exploit it through the use of a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
Microsoft says that a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software and adds that the latest security patch addresses this vulnerability by ensuring that Windows CryptoAPI completely validates the Elliptic Curve Cryptography certificates.
A report published in TechCrunch.com quoted an advisory from the CERT-CC vulnerability disclosure centre at Carnegie Mellon University to suggest that the latest bug could also be used to intercept and modify HTTPS communications, though Microsoft claims it has till date found no evidence of the bug having been actively exploited.
The report further quoted National Security Agency official Anne Neuberger to suggest that once they discovered the vulnerability, it went through a due governmental process to discuss whether it should be retained for use in security operations or disclosed to the vendor. It may be recalled that the NSA had reportedly used an earlier vulnerability for surveillance without actually alerting Microsoft.
The NSA had created the EternalBlue as a means to conduct secret surveillance but once it got leaked across the board, it ended up infecting thousands of computers with the WannaCry malware that caused damage worth millions of dollars.
This time round, the NSA immediately pointed out the security flaw to Microsoft which has reportedly released patches that covers Windows 10 and Windows Server 2016 – both hardware used by the US government, military and several top enterprises in the world.
Reports also claimed that this time round, Microsoft kept a tight leash on how many in the ecosystem had knowledge of the vulnerabilities as it did not want to spread chaos amongst the users before the patch was readied and shipped out online for download.
The severity of the situation prompted formal communications from US authorities who sounded an alert via the Cybersecurity and Infrastructure Security Agency and followed it up with an emergency directive from the Department of Homeland Security and another advisory from the NSA.
“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners,” said the agency.
For those readers interesting to know what made up the latest patch, check out this table provided by the SANS Technology Institute.
- Bobble AI bullish on growing business via regional content; announces dedicated keyboard in Malayalam
- Acer India launches business PC at Just Rs 9999
- TCL 4K QLED with Hands Free AI TV Pre-booking Coming Soon at Reliance Digital
- Linksys India Launches VELOP MX5300 WIFI 6 Mesh System
- Acer introduces Nitro 5, its first 10th Gen Intel® Core™ Gaming Laptop
- Barco Introduces New Series of Advanced Video Processing and Presentation Control Systems
- NETGEAR Orbi RBK50 Mesh System to Augment Your Home Wi-Fi Network for Improved Work Efficiency
- Motorola announces its new flagship in India with the Fastest, Loudest, Boldest; motorola edge+
- Surface Pro X, Surface Pro 7 and Surface Laptop 3 are now available in India
- Genelec Announces 1235A: Classic Heritage, Cutting Edge Performance