Η Microsoft released its updates last night Patch Tuesday for Windows 10 and Windows Server. One of the vulnerabilities that the company fixed was one that was given to them by NSA. For the specific vulnerability we had reported yesterday before the release of the patch by Microsoft.
Vulnerability affects the way Windows works CryptoAPI (Crypt32.dll) validates elliptic curve encryption certificates (from Elliptic Curve Cryptography or simply ECL).
A successful exploitation gives the attacker the power to carry out man-in-the-middle attacks and is then able to decrypt sensitive information.
"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable file, making it appear credible and from a legitimate source. "The user has no way of knowing that the file is malicious, because his digital signature seems to come from a trusted provider," she said. Microsoft.
The vulnerability has been recorded as "significant" and Microsoft explains that its exploitation is possible. However, the company is not aware of any attacks at this time.
On the other hand, the NSA published an article of its own about the defect, urging all internet users to update Windows as soon as possible.
"Vulnerability jeopardizes key points of Windows in a wide range of operators. THE NSA considers that the vulnerability is serious and that the specialized cyberspace operators will very quickly understand the underlying security vulnerability and, if exploited, will make the aforementioned platform fundamentally vulnerable. The consequences of not covering the vulnerability will be serious and widespread. "
All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.
Of course the NSA seems to be trying to build its public profile by opening up a very serious Windows vulnerability, with official press releases (PDF) etc. But what the US intelligence service did not tell us is how long it has been aware of the vulnerability and announced it now.
Because in her case NSA and any secret service paranoia is half true I would like to mention a scenario I thought of as soon as I learned of her mood NSA to reveal the 0day.
Η NSA he may have known the vulnerability and did not reveal it for obvious reasons, until he discovered that others knew it.
The above scenario fits better with the way services like NSA, as altruism is known not to characterize them.