NSA Gives Microsoft a Heads Up About Critical Windows 10 Security Flaw
Extending an olive branch in the shift towards transparency, the National Security Agency disclosed a bug that had the potential to expose over 900 million PC to an attack.
A patch for Windows 10 and Windows Server 2016 was released recently after the NSA told Microsoft about some serious vulnerabilities they found. This disclosure is major, and rare, as the NSA typically does not publically share out information regarding its vulnerability discoveries especially in light of the Eternalblue exploit it developed. (EternalBlue is malicious software, developed by NSA, and leaked by a hacker group to expose what they are doing.)
The vulnerability exposed by the NSA underscores the magnitude this exploit had to businesses and consumers, as it would have allowed attackers to pose as legitimate software. Windows has a mechanism, called the CryptoAPI service, that confirms whether a piece of software installed is valid or if something trying to establish a secure web connection is legitimate. It allows developers to "sign" their software and data in order to prove trustworthiness and validity when Microsoft checks a user's computer. The bug was found in this mechanism and could have let malicious software install itself and pass a check that it is indeed safe and valid software, deeming the safety check mechanism compromised. Another way of thinking of it, Ashkan Soltani, a security expert from the FTC, is "It's the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,".
Compromising this feature would let hackers easily impersonate valid software companies and open up the world to potential harm. It is advised that users and businesses prioritize this vulnerability as soon as possible.