facebook linkedin twitter

National Security Agency Discovers Vulnerability in Microsoft Windows

January 15, 2020by Dina Bass and Alyza Sebenius, Bloomberg News (TNS)
The news comes hours before Microsoft is scheduled to release a security update, which is part of a company practice of disclosing newly found software vulnerabilities in hardware. (Dreamstime/TNS)

SEATTLE — The National Security Agency announced that it had found a “critical vulnerability” in Microsoft Corp.’s Windows operating systems that could enable cyber intrusions.

The NSA recognized “the severity of the vulnerability” and disclosed it to Microsoft to expedite the process of fixing it, according to Anne Neuberger, the NSA’s director of cybersecurity, speaking to reporters on Tuesday. Microsoft released a patch the same day.

The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, released an emergency directive on Tuesday, saying that it “strongly recommends organizations install these critical patches as soon as possible.” DHS is urging federal civilian agencies to take “a series of immediate actions to mitigate this risk and to minimize the exposure to associated threats to our federal information systems,” said Bryan Ware, an assistant secretary in the department.

The NSA chose to publicly share that it had found the flaw — a break from past protocol when information about how vulnerabilities were discovered wasn’t made public — in order to build trust and encourage patching, Neuberger said.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” she said.

Microsoft hasn’t seen the flaw used in active attacks, the company said in announcing the patch.

The flaw lies in a part of Windows software known as Crypt32.dll. That file is used by Windows 10 and the last two versions of the Windows Server operating systems — to implement “many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage” — according to Microsoft. This means that the flaw could affect a broad range of users.

The disclosure appears to represent an improvement in relations between Microsoft and the NSA, which previously secretly collected security exploits of Microsoft’s Windows in order to use the tools for its own hacks. Details of the practice became public in 2017 when a group known as the Shadow Brokers obtained and published the NSA’s tools, leading to an emergency for Microsoft as the company rushed to patch the “zero day” exploits. One month later, Microsoft blamed the NSA exploits for the global spread of malicious software called “WannaCrypt.”

Microsoft has a policy of regularly releasing security updates on the second Tuesday of each month, and this update aligns with that schedule, according to a Monday statement by Jeff Jones, a senior director at the company.

“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities,” Jones said in the statement. “To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”

News of the NSA’s discovery was previously reported by The Washington Post and Krebs on Security, a cybersecurity blog.

The release of the patch draws attention to the flaw and creates an urgency for organizations to fix it before bad actors use it for malicious purposes, according to government officials.

“Sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA said in a Tuesday advisory about the vulnerability.

“Because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits to target unpatched systems,” according to the Cybersecurity and Infrastructure Security Agency.

———

Bass reported from Seattle, Sebenius from Washington.

———

©2020 Bloomberg News

Visit Bloomberg News at www.bloomberg.com

Distributed by Tribune Content Agency, LLC.

Technology

November 23, 2021
by Dan McCue
Pixstory Striving to Address the Need for User Safety On Social Media

WASHINGTON - The speaker was anguished, there wasn’t any mistaking that. “Maybe I was just too caught up in my... Read More

WASHINGTON - The speaker was anguished, there wasn’t any mistaking that. “Maybe I was just too caught up in my own life to realize what was going on with my friends and acquaintances,” he said. “But there’s nothing wrong with unfriending somebody. Couples break up all... Read More

November 22, 2021
by Kate Michael
Experts Say XR Tech Is More Than Gaming and Entertainment

WASHINGTON — The lines just keep blurring between the physical and online worlds, with the pandemic accelerating the adoption of... Read More

WASHINGTON — The lines just keep blurring between the physical and online worlds, with the pandemic accelerating the adoption of immersive technologies that merge the physical world with digital or simulated reality. But while many are familiar with some type of extended reality, which is a... Read More

November 22, 2021
by Kate Michael
Klobuchar Weighs in on CAP’s New Report on Tech Regulation

WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms,... Read More

WASHINGTON — Sen. Amy Klobuchar, D-Minn., has been on a crusade for swift and sweeping reform of Big Tech platforms, introducing a number of bills and even publishing a book titled “Antitrust” that looks at the history of policy toward trusts and monopolies and details how... Read More

November 17, 2021
by Alexa Hornbeck
FDA Issues New Guidance For Use Of AI In Health Care

WASHINGTON — The U.S. Food and Drug Administration recently partnered with Health Canada and the UK’s Medicines and Healthcare products... Read More

WASHINGTON — The U.S. Food and Drug Administration recently partnered with Health Canada and the UK’s Medicines and Healthcare products Regulatory Agency to issue guiding principles to align efforts and standards for artificial intelligence and machine learning medical device development in health care.  “The FDA believes... Read More

November 17, 2021
by Victoria Turner
Officials Say Automation Won’t Replace Humans

WASHINGTON — Automation will not replace people nor take their jobs, according to two government officials who are implementing robotic... Read More

WASHINGTON — Automation will not replace people nor take their jobs, according to two government officials who are implementing robotic process automation programs at federal agencies.  In fact, automation will allow federal employees to accomplish more than that they could have otherwise, said Gabrielle Perret, director... Read More

November 16, 2021
by Reece Nations
Meta Policy Update Complicates Midterm Outreach

SAN ANTONIO — Political organizations are preparing to modify their outreach approach ahead of Meta Platforms’ removal of some detailed... Read More

SAN ANTONIO — Political organizations are preparing to modify their outreach approach ahead of Meta Platforms’ removal of some detailed targeting options in January. New limits on advertisers' ability to target users based on their interactions with social media content were announced in a blog post... Read More

News From The Well
scroll top