Microsoft and NSA say a security bug affects millions of Windows 10 computers




Nokia Oyj's Hungarian Manufacturing Plant As Closure Announced By Microsoft Corp.
Nokia Oyj's Hungarian Manufacturing Plant As Closure Announced By Microsoft Corp.  

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software - like ransomware - on a vulnerable computer.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as "important."

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars' worth of damage.

Anne Neuberger, NSA's director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It's not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

Neuberger confirmed Microsoft's findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was "encouraging" that the flaw was turned over "rather than weaponized."

"This one is a bug that would likely be easier for governments to use than the common hacker," he said. "This would have been an ideal exploit to couple with man in the middle network access."

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday's release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA - such as the government's cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency - were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like "a skeleton key for bypassing any number of endpoint security controls," he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company's own servers, "hundreds of thousands" of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a "critical issue."

"Everyone should patch. Do not wait," he said.

COMMENTS

More Related News

Kidtech startup SuperAwesome raises $17M, with strategic investment from Microsoft's M12 venture fund
Kidtech startup SuperAwesome raises $17M, with strategic investment from Microsoft's M12 venture fund

Kidtech startup SuperAwesome has raised an additional $17 million in funding, which includes a new strategic investment from Microsoft's venture fund, M12. Others participating in the round include existing investors, Mayfair Equity, Hoxton Ventures, and Ibis, along with other angels. To date, SuperAwesome has raised $37 million in outside investment.

Daily Crunch: Tech notables react to Kobe Bryant's death
Daily Crunch: Tech notables react to Kobe Bryant's death

The Daily Crunch is TechCrunch's roundup of our biggest and most important stories. The Los Angeles startup community is joining the rest of the world in mourning the death of NBA superstar, entrepreneur and investor Kobe Bryant who was killed in a helicopter crash in Calabasas, Calif. on Sunday. Bryant launched his venture career with partner and serial entrepreneur Jeff Stibel back in 2013, making investments in Los Angeles-based companies like LegalZoom, Scopely, Art of Sport, The Honest Company, RingDNA, FocusMotion, DyshApp and Represent.

Bird confirms acquisition of Berlin scooter rival Circ
Bird confirms acquisition of Berlin scooter rival Circ

Bird, the LA-founded e-scooter giant, has confirmed that it is acquiring European competitor Circ, the micromobilty company founded by Lukasz Gadowski of Delivery Hero fame. Meanwhile, TechCrunch revealed late November that Circ was facing difficulties and had issued a round of layoffs following so-called

Benzinga
Benzinga's Bulls And Bears Of The Week: Apple, Boeing, Netflix, GE And More

Benzinga has examined the prospects for many investor favorite stocks over the past week. Bearish calls included aerospace and electric vehicle leaders. It was a good week for renowned CEOS Elon Musk and Jamie Dimon, but not so much for Jeff Bezos.

Startups Weekly: Tech layoffs spread (a bit)
Startups Weekly: Tech layoffs spread (a bit)

Are January layoffs just a few post-WeWork jitters? TechCrunch has found itself writing about layoffs at a few notable tech companies this week - and not just Softbank-backed ones. The focus is very much profits, as Alex Wilhelm summed up on Thursday, especially after the failed WeWork IPO and subsequent valuation and headcount decimation.

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Comments

Top News: Economy