National Security Agency Discovers Vulnerability in Microsoft Windows

January 15, 2020by Dina Bass and Alyza Sebenius, Bloomberg News (TNS)
National Security Agency Discovers Vulnerability in Microsoft Windows

SEATTLE — The National Security Agency announced that it had found a “critical vulnerability” in Microsoft Corp.’s Windows operating systems that could enable cyber intrusions.

The NSA recognized “the severity of the vulnerability” and disclosed it to Microsoft to expedite the process of fixing it, according to Anne Neuberger, the NSA’s director of cybersecurity, speaking to reporters on Tuesday. Microsoft released a patch the same day.

The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, released an emergency directive on Tuesday, saying that it “strongly recommends organizations install these critical patches as soon as possible.” DHS is urging federal civilian agencies to take “a series of immediate actions to mitigate this risk and to minimize the exposure to associated threats to our federal information systems,” said Bryan Ware, an assistant secretary in the department.

The NSA chose to publicly share that it had found the flaw — a break from past protocol when information about how vulnerabilities were discovered wasn’t made public — in order to build trust and encourage patching, Neuberger said.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” she said.

Microsoft hasn’t seen the flaw used in active attacks, the company said in announcing the patch.

The flaw lies in a part of Windows software known as Crypt32.dll. That file is used by Windows 10 and the last two versions of the Windows Server operating systems — to implement “many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage” — according to Microsoft. This means that the flaw could affect a broad range of users.

The disclosure appears to represent an improvement in relations between Microsoft and the NSA, which previously secretly collected security exploits of Microsoft’s Windows in order to use the tools for its own hacks. Details of the practice became public in 2017 when a group known as the Shadow Brokers obtained and published the NSA’s tools, leading to an emergency for Microsoft as the company rushed to patch the “zero day” exploits. One month later, Microsoft blamed the NSA exploits for the global spread of malicious software called “WannaCrypt.”

Microsoft has a policy of regularly releasing security updates on the second Tuesday of each month, and this update aligns with that schedule, according to a Monday statement by Jeff Jones, a senior director at the company.

“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities,” Jones said in the statement. “To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”

News of the NSA’s discovery was previously reported by The Washington Post and Krebs on Security, a cybersecurity blog.

The release of the patch draws attention to the flaw and creates an urgency for organizations to fix it before bad actors use it for malicious purposes, according to government officials.

“Sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the NSA said in a Tuesday advisory about the vulnerability.

“Because patches have been publicly released, the underlying vulnerabilities can be reverse-engineered to create exploits to target unpatched systems,” according to the Cybersecurity and Infrastructure Security Agency.

———

Bass reported from Seattle, Sebenius from Washington.

———

©2020 Bloomberg News

Visit Bloomberg News at www.bloomberg.com

Distributed by Tribune Content Agency, LLC.

A+
a-
  • hacking
  • Microsoft
  • National Security Agency
  • vulnerability
  • In The News

    Health

    Voting

    Technology

    US Energy Department Invites AI Data Center Development at Los Alamos and Other Federal Lands

    The U.S. Department of Energy said it has identified 16 federal sites, including storied nuclear research laboratories such as Los Alamos,... Read More

    The U.S. Department of Energy said it has identified 16 federal sites, including storied nuclear research laboratories such as Los Alamos, where tech companies could build data centers in a push to accelerate commercial development of artificial intelligence technology. The sites are “uniquely positioned for rapid data... Read More

    Europe Races to Secure Critical Minerals as Global Supply Tensions Mount

    ATHENS, Greece (AP) — A top European Union official visited a strategic metals site in central Greece on Thursday, after the bloc... Read More

    ATHENS, Greece (AP) — A top European Union official visited a strategic metals site in central Greece on Thursday, after the bloc announced plans to accelerate production of its own critical minerals and reduce dependence on China. Stéphane Séjourné, an executive vice president at the European Commission, toured... Read More

    March 17, 2025
    by Dan McCue
    Entrepreneurs, Scientists Gather at National Harbor for ARPA-E Energy Innovation Summit

    WASHINGTON — Nearly 3,000 of the nation’s leading scientists, engineers and entrepreneurs are expected to be in attendance this week... Read More

    WASHINGTON — Nearly 3,000 of the nation’s leading scientists, engineers and entrepreneurs are expected to be in attendance this week as the annual ARPA-E Energy Innovation Summit once again takes center stage at the Gaylord National Resort & Convention Center in National Harbor, Maryland. The three-day... Read More

    March 14, 2025
    by Dan McCue
    FCC Asks Public: ‘What Rules Do You Want Us to Toss?’

    WASHINGTON — “In re: Delete, Delete, Delete.” That’s the name of a new docket created by the Federal Communications Commission... Read More

    WASHINGTON — “In re: Delete, Delete, Delete.” That’s the name of a new docket created by the Federal Communications Commission through which it is soliciting comments on “every rule, regulation or guidance” the general public and the communications industry wants to see eliminated. “The FCC has... Read More

    March 14, 2025
    by Dan McCue
    GE Vernova, Amazon Expand Effort to Address Surge in Global Energy Demand

    WASHINGTON — Energy equipment and service provider GE Vernova and Amazon Web Services, Inc., announced last week that they are... Read More

    WASHINGTON — Energy equipment and service provider GE Vernova and Amazon Web Services, Inc., announced last week that they are expanding their mutual efforts to address accelerating global energy demand. Cambridge, Massachusetts-based GE Vernova has long provided AWS with turnkey substation solutions to enable it to... Read More

    March 14, 2025
    by Dan McCue
    JPMorgan, Starwood Properties Invest $2B in Utah Data Center

    WASHINGTON — JPMorgan Chase and the Starwood Property Group are investing $2 billion to fund the completion of a massive... Read More

    WASHINGTON — JPMorgan Chase and the Starwood Property Group are investing $2 billion to fund the completion of a massive data center in Utah. Novva Data Centers and its real estate and infrastructure partner CIM Group completed the first stage of its data center project in... Read More

    News From The Well
    scroll top