Η Microsoft κυκλοφόρησε χθες το βράδυ τις ενημερώσεις του Patch Tuesday for Windows 10 and the Windows Server. Μια από τις vulnerabilities που επιδιόρθωσε η εταιρεία ήταν και μια που τους έδωσε η NSA. Για την συγκεκριμένη ευπάθεια είχαμε reported yesterday before the patch was released by Microsoft.
The vulnerability affects the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve encryption certificates (from Elliptic Curve Cryptography or simply ECL).
A successful exploitation gives the attacker the power to carry out man-in-the-middle attacks and is then able to decrypt sensitive information.
"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable. file, making it appear trustworthy and from a legitimate source. The user has no way of knowing that the file is malicious because its digital signature appears to come from a trusted provider,” Microsoft says.
The vulnerability has been described as "significant" and Microsoft explains that exploitation is possible. However, the company is not aware of any attacks at this time.
On the other hand, the NSA published an article of its own about the defect, urging all users update windows as soon as possible.
"Vulnerability jeopardizes key points of Windows in a wide range of operators. The NSA believes that the vulnerability is serious and that cybercriminals will quickly grasp the underlying security vulnerability and, if exploited, make the aforementioned platform fundamentally vulnerable. The consequences of not covering the vulnerability will be serious and widespread. "
All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.
Of course the NSA seems to be trying to build its public profile by opening up a very serious vulnerability in Windows, with official press releases (PDF) etc. But what the information collection service of the USA, is how long it has known about the vulnerability and announced it now.
Because in the case of the NSA and any intelligence service, paranoia is half true.
The NSA may have known about the vulnerability and did not disclose it for obvious reasons, until it discovered that others knew.
The above scenario best fits the way the services like the NSA, as altruism is known not to characterize them.