Microsoft released Patch Tuesday updates for Windows 10 and Windows Server last night. One of the vulnerabilities the company patched was one given to them by the NSA. For this one vulnerability we had reported yesterday before the patch was released by Microsoft.
The vulnerability affects the way Windows CryptoAPI (Crypt32.dll) validates certificates encryptionof Elliptic Curve Cryptography (from Elliptic Curve Cryptography or simply ECL).
A successful exploitation gives the attacker the power to carry out man-in-the-middle attacks and is then able to decrypt sensitive information.
"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable file, making it appear credible and from a legitimate source. "The user has no way of knowing that the file is malicious, because his digital signature appears to come from a trusted provider," says Microsoft.
The vulnerability has been described as "significant" and Microsoft explains that exploitation is possible. However, the company is not aware of any attacks at this time.
On the other hand, the NSA published its own article about the flaw, urging all users on thenetwork to update Windows as soon as possible.
"Vulnerability basically puts you at risk points of Windows to a wide range of operators. The NSA believes that the vulnerability is serious and that skilled cyber actors will very quickly understand the underlying security hole and, if exploited, will render the aforementioned platform fundamentally vulnerable. The consequences of not covering the vulnerability will be severe and widespread.”
All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.
Of course the NSA seems to be trying to build its public profile by opening up a very serious vulnerability in Windows, with official press releases (PDF) etc. But what the US intelligence service did not tell us is how long it has been aware of the vulnerability and announced it now.
Because in the case of the NSA and any intelligence service, paranoia is half true.
The NSA may have known about the vulnerability and did not disclose it for obvious reasons, until it discovered that others knew.
The above scenario fits better with the way services like the NSA work, as altruism is known not to characterize them.
