The US National Security Agency (NSA) has discovered a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate. The NSA is accepting attribution for the first time in history
Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019. The software giant says it has not seen active exploitation of the flaw in the wild, and it has marked it as “important” and not the highest “critical” level that it uses for major security flaws. That’s not a reason to delay patching, though. Malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.
The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software. It could, in theory, it could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.
Some computers will get the fix automatically, if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer’s settings.
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.
A previous NSA exploit targeting Windows’ file-sharing protocol, dubbed EternalBlue, leaked two years ago and caused widespread damage. It led to WannaCry ransomware and other variants locking up computers from the UK’s National Health Service to the Russian Ministry of the Interior. Microsoft was forced to issue an emergency patch for Windows XP, even though the operating system had reached end of support.