The National Security Agency disclosed a major vulnerability in the latest versions of Windows 10 and Windows Server 2016 to Microsoft, which released fixes for the issue on Tuesday, the MIT Technology Review reported.
The NSA took the unusual step (for an intelligence agency) of issuing a press release on the matter, writing the critical vulnerability affected Window’s core cryptographic functionality and would allow “attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.” That could possibly compromise security features including HTTPS connections, signed files and emails, and “signed executable code launched as user-mode processes,” according to the NSA.
The NSA added in the release that “it assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.” However, it said it had no evidence that anyone had actually capitalized on the vulnerability. Microsoft also said it had not seen anything that would lead it to believe the vulnerability has been successfully exploited in the wild, the MIT Technology Review wrote.
The NSA’s release also contained a guide for network administrators to prevent and detect possible uses of the vulnerability, as well as urged them to prioritize “patching endpoints that provide essential or broadly replied-upon services.” It added that administrators should also prioritize endpoints “directly exposed to the internet” or which are routinely used by people with administrative privileges.
Cybersecurity blogger Brian Krebs mentioned rumors that Microsoft was rushing to fix a problem with crypt32.dll, the Windows module that handles cryptography, on Monday. Krebs’ sources said that the vulnerability could be used to spoof digital signatures tied to specific software builds, thus allowing attackers to trick users into believing malware-infected programs were legitimate software. NSA director of cybersecurity Anne Neuberger told reporters that this was the first time Microsoft has publicly credited the agency for detecting a software flaw, according to Krebs.
It’s hard to understate the potential impact of this bug, which could allow attackers to gain control of hundreds of millions of machines running Windows 10 or Windows Server 2016. MongoDB security principal and Open Crypto Audit Project director told Wired it could have had “catastrophic consequences,” depending on “what scenarios and preconditions are required, we’re still analyzing.” Former NSA staffer and Rendition Infosec founder Jake Williams told TechCrunch that it was well suited for state espionage purposes and essentially acted as “a skeleton key for bypassing any number of endpoint security controls.” Both the NSA and Microsoft kept a tight lid on the vulnerability, sources told TechCrunch, and released patches for government, military, and industry organizations before the patch was rolled out to the general public on Tuesday.
The MIT Technology Review reported that this appears to be part of a shift from prior NSA practice to simply log the bug and exploit it for intelligence purposes and towards cyber defense. The NSA launched a Cybersecurity Directorate late last year with the stated intention of aligning defensive cybersecurity with its foreign intelligence gathering operations, as well as protecting U.S. defense and industrial networks from intrusion. It also probably does not hurt that fixing the bug might help rehabilitate the NSA’s reputation after the EternalBlue fiasco, in which a leaked NSA exploit was used to enable waves of ransomware across the globe.
“We want a new approach to sharing, to build trust with the cybersecurity community,” Neuberger told reporters, per the MIT Technology Review. “This is one key aspect of that.”
“A part of building trust is showing the data,” Neuberger added. “We’ve submitted vulnerabilities for a long time, but we’ve never permitted attribution, and as a result it’s hard for entities to trust us. The second part of the decision is that we want to lean forward to advise critical infrastructure networks, to raise awareness. In order to do so, we knew we had to be very transparent about it.”
“Make no mistake, though; the NSA will continue to hoard zero-days and leverage them as required to accomplish their objectives,” Rick Holland, chief information security officer at San Francisco-based Digital Shadows, told the Guardian.