National Security Agency points out that Windows 10 has a serious Security Flaw

Microsoft today released a patch for windows 10 download and Server 2016 after the National Security Agency identified and identified a serious vulnerability. It is a rare but unprecedented clue that highlights the seriousness of the error and may indicate new priorities for the National Security Agency.

The problem lies in the Windows mechanism, which can be used to verify the legitimacy of the software or to establish secure Web connections. If the scan itself is not reliable, attackers can use this fact to remotely propagate malware or intercept confidential data.

The problem lies specifically in the Microsoft CryptoAPI service, which developers can use to cryptographically “sign” software and data or generate digital certificates for authentication. This serves as proof of reliability and validity when Windows searches the user’s devices. An attacker could exploit the error to undermine important security measures and ultimately take control of the victim’s devices.

As researchers and cybercriminals investigate the vulnerability and rush to develop a piracy tool that takes advantage of it, the level of risk to users becomes clearer. However, an error in a critical cryptographic component of Windows is undoubtedly problematic, especially since Windows 10 is the most widely used operating system in the world and is installed on more than 900 million PCs.

“It is a central part of the low-level Windows operating system and builds trust among administrators, regular users and other computers both on the local network and on the Internet,” said Kenn White, director of security at MongoDB and director of the Open Crypto project Audit “If the technology that builds trust is vulnerable, it can have catastrophic consequences. But we are still analyzing the exact scenarios and requirements. The day will be long for many Windows administrators around the world.”

The NSA’s decision to share the vulnerability reminds of the NSA piracy tool, Eternal Blue, which exploited a Windows bug fixed in early 2017. This error was present in all versions of Windows available at that time, and the NSA had had the known error, and used it for digital espionage, for more than five years. Finally, the NSA lost control of Eternal Blue. A few weeks after Microsoft released an update, a mysterious piracy group known as Shadow Brokers launched the online tool. Criminals and national hackers had a great day using the tool when Windows machines worldwide began to patch slowly.

The windows pro original validation error could be the NSA’s attempt to avoid a similar debacle. And unlike Eternal Blue, Neuberger made it clear that the agency had not used the exploit itself.

In fact, Neuberger said the disclosure of the code verification error to Microsoft and the public was part of a new NSA initiative in which the agency would report its vulnerability findings faster and more frequently. The effort will be carried out in parallel with the current process of the National Security Council on the vulnerability of actions, which assesses the relevance for national security of the secrecy of piracy tools for the dissemination of vulnerability.

Even before the Eternal Blue fiasco, the NSA was criticized for treasuring vulnerabilities of its own exploitation rather than revealing them in order to remedy them.

In October, Neuberger took the helm of the new NSA cybersecurity branch to improve the internal security of the NSA and strengthen inter-department collaboration. The traditionally silent and secret agency has also taken other measures to connect with the cybersecurity research community, such as the publication of the valuable Ghidra analyst, developed by the NSA, as an open source community offer last year.

Detecting this error certainly does not mean that the NSA will give up and should not give up its entire arsenal of piracy tools. However, the step towards transparency is a welcome step, even if it also serves as an image rehabilitation of the NSA.

Comments are closed