National Security Agency Confirms Windows 10 Security Flaw 'Makes Trust Vulnerable'
Earlier today, I reported that the security grapevine was buzzing with rumors that an “extraordinarily serious” security vulnerability in a core cryptographic component of Windows 10 was to be disclosed when the monthly Microsoft Windows Patch Tuesday updates were released. While there is still no news from Microsoft itself ahead of the Patch Tuesday disclosure, the National Security Agency’s (NSA) director of cybersecurity, Anne Neuberger, has now confirmed that the vulnerability exists.
Get started on your cybersecurity degree at American Military University.
Here’s what she had to say, and what we now know.
NSA director of cybersecurity confirms Windows 10 security flaw
In a briefing call to media today, the NSA director of cybersecurity, Anne Neuberger, confirmed the existence of the vulnerability rumored to be fixed in the Patch Tuesday release later today. Neuberger disclosed that it was the NSA which reported the vulnerability to Microsoft, and that “this was the first time Microsoft will have credited NSA for reporting a security flaw.” Brian Krebs, who was first to report on the rumors circulating within the information security bubble, said that Microsoft’s advisory later today, “will state that Microsoft has seen no active exploitation” of the vulnerability to date.
There remains some confusion over which versions of Windows are affected by what is still assumed to be a vulnerability within the crypt32.dll component that deals with Windows security certificates and cryptographic messaging functions. In that NSA briefing call, Krebs reports that the NSA director stated only that the problem exists within Windows 10 and Windows Server 2016. Whether it also impacts users of older versions of the operating system will not be known, one way or the other, until Microsoft discloses more information with the Patch Tuesday update release.
However, even though we are all going to have to wait until later for the full disclosure and hopefully some more technical detail, Neuberger is reported to have said that the flaw “makes trust vulnerable,” and that’s why the NSA is taking it so seriously.
This would also explain why it has been rumored that U.S. military and high-value internet infrastructure targets have been shipped the fix already, under strict non-disclosure agreements.
“If the NSA reported it,” security professional John Opdenakker says, “I think that the impact of the vulnerability being exploited is high. Until we have more information, we can’t say anything about the actual risk for the average user.”
Sean Wright, OWASP Scotland chapter leader, says that anything that makes trust vulnerable, in the words of the NSA director of cybersecurity, “sounds like something be concerned with, especially if it is coming out of the NSA itself. This could impact anything from device drivers to browsing the Internet.”
For now, the advice remains the same: don’t defer this particular Windows Patch Tuesday update, get it done in a timely manner.
“This isn’t the best timing for a Patch Tuesday update,” Jake Moore, a cybersecurity specialist with ESET, says, “it just echoes that this can be the problem with updates and the confidence that goes alongside them.” Moore says that while the vulnerability may make trust vulnerable, users also need a certain level of trust to form a basis. “Microsoft will constantly be targeted with attacks, so it is no surprise when they are hit,” Moore concludes, “at least the NSA is sharing vulnerabilities this time before we see another WannaCry on the horizon.”
I will update this story once Microsoft and the NSA make further disclosures regarding this “extraordinarily serious” vulnerability.