Microsoft released Patch Tuesday updates for Windows 10 and Windows Server last night. One of the vulnerabilities that the company fixed was one given to them by the NSA. For the specific vulnerability we had reported yesterday before the patch was released by Microsoft.
The vulnerability affects the way in which Windows CryptoAPI (Crypt32.dll) validates elliptic curve encryption certificates (from Elliptic Curve Cryptography or simply ECL).
A successful exploitation gives the attacker the power to carry out man-in-the-middle attacks and is then able to decrypt sensitive information.
"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable file, making it appear credible and from a legitimate source. "The user has no way of knowing that the file is malicious, because their digital signature appears to come from a trusted provider," says Microsoft.
The vulnerability has been described as "significant" and Microsoft explains that exploitation is possible. However, the company is not aware of any attacks at this time.
On the other hand, the NSA published an article of its own about the flaw, urging all Internet users to update Windows as soon as possible.
"Vulnerability jeopardizes key points of Windows in a wide range of operators. The NSA believes that the vulnerability is serious and that cybercriminals will quickly grasp the underlying security vulnerability and, if exploited, make the aforementioned platform fundamentally vulnerable. The consequences of not covering the vulnerability will be serious and widespread. "
All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.
Of course the NSA seems to be trying to build its public profile by opening up a very serious vulnerability to Windows, with official press releases (PDF) etc. But what the US intelligence service did not tell us is how long it has been aware of the vulnerability and announced it now.
Because in the case of the NSA and any secret service the paranoia is half true I would like to cite a scenario I thought of as soon as I learned of the NSA's willingness to reveal 0day.
The NSA may have known about the vulnerability and did not disclose it for obvious reasons, until it discovered that others knew.
The above scenario fits better with the way services like the NSA work, as altruism is known not to characterize them.