Microsoft released Patch Tuesday updates for Windows 10 and Windows Server last night. One of vulnerabilities that the company patched was also one given to them by the NSA. For this particular vulnerability we had reported yesterday before the patch was released by Microsoft.
The vulnerability affects the way in which Windows CryptoAPI (Crypt32.dll) validates elliptic curve encryption certificates (from Elliptic Curve Cryptography or simply ECL).
A successful exploitation gives the attacker the power to carry out attacks Man-in-the-middle και στη συνέχεια είναι σε θέση να αποκρυπτογραφεί τις ευαίσθητες information.
"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable file, making it appear credible and from a legitimate source. "The user has no way of knowing that the file is malicious, because his digital signature appears to come from a trusted provider," says Microsoft.
The vulnerability has been described as "significant" and Microsoft explains that exploitation is possible. However, the company is not aware of any attacks at this time.
On the other hand, the NSA published an article of its own about the defect, urging all Internet users to update Windows as soon as possible.
“Η ευπάθεια θέτει σε κίνδυνο βασικά σημεία των Windows σε ένα ευρύ φάσμα φορέων εκμετάλλευσης. Η NSA εκτιμά ότι η ευπάθεια είναι σοβαρή και ότι οι εξειδικευμένοι φορείς του κυβερνοχώρου θα κατανοήσουν πολύ γρήγορα το υποκείμενο κενό ασφαλείας και, εάν το εκμεταλλευθούν, θα καταστήσουν την προαναφερθείσα platform fundamentally vulnerable. The consequences of not covering the vulnerability will be severe and widespread.”
All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.
Of course the NSA seems to be trying to build its public profile by opening up a very serious vulnerability in Windows, with official press releases (PDF) etc. But what the information collection service of the USA, is how long it has known about the vulnerability and announced it now.
Because in the case of the NSA and any intelligence service, paranoia is half true.
The NSA may have known about the vulnerability and did not disclose it for obvious reasons, until it discovered that others knew.
The above scenario fits better with the way services like the NSA work, as altruism is known not to characterize them.
