NSA reveals Microsoft cryptography flaw as Windows 7 support… edited by Ferratum

On the same day it stopped support for Windows 7, Microsoft has fixed a huge flaw in its Windows 10 operating systems powering more than 900 million devices after a tip-off from an unlikely source.

For the first time, the famously prying eyes of the US National Security Agency (NSA, the same shadowy organisation that was exposed as spying on its own citizens by contractor-turned-whistleblower Edward Snowden in 2013) have been credited for disclosing a vulnerability it discovered in Windows rather than potentially exploiting it.

The flaw effects the way Windows 10 and some enterprise versions of the operating system handles digital “signatures” using what’s called elliptical curve cryptography.

Signatures are used to do things like encrypt communications so only the intended recipients can read them as well as verify the legitimacy of software being installed on your PC.

It’s also used by Bitcoin to allow users to transfer and spend the cryptocurrency.

RELATED: Millions of computers vulnerable as Microsoft drops support

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” Microsoft said in its latest security update guide, released as the patch became available in line with standard policies of not publicly disclosing vulnerabilities until a fix exists.

Disturbingly, there’s no way you’d be able to tell the malicious software was doing anything nefarious.

“The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider,” Microsoft said.

“A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software,” the company explained.

The NSA echoed Microsoft’s guidance and said the vulnerability could have allowed hackers to hide behind a mask of legitimate software to run malicious code.

“Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities,” the NSA said in a cybersecurity advisory dated January 14.

The agency also said the flaw could be used to compromise HTTPS connections, the supposedly secure method of sending information over the internet, often used by banks and online stores to protect and access your payment details.

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly,” the agency said.

“Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

RELATED: Accused scammer’s weird purchases

The vulnerability has been patched by Microsoft, which gave advance help to government clients before widely rolling out a fix in its first “Patch Tuesday” of the decade on January 14.

Patch Tuesday is the unofficial name given to Microsoft’s update cycle. The company usually issues updates to its products on the second Tuesday of each month, which is often closely followed by “Exploit Wednesday”, where hackers try to exploit vulnerabilities on unpatched systems while they remain.

The NSA is placing a heavy importance on this particular Patch Tuesday, and it seems it can’t overstate that importance enough.

“This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them,” NSA technical director Neal Ziring said in a separate announcement from the agency.

That importance could be the reason the NSA disclosed it rather than turning it into a tool to be exploited, according to one security analyst.

RELATED: Read this before your emails

Head of security analytics at cyber defence firm Vectra AI, Chris Morales, credited the NSA for reporting the flaw and Microsoft for quickly acting to fix it but added he wanted to know more about why the agency didn’t keep the exploit under its hat.

“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past,” Mr Morales said in an email to news.com.au.

“It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations,” he theorised, citing the EternalBlue tool developed by the NSA to exploit a flaw in Windows that then leaked publicly with disastrous consequences, including the WannaCry ransomware attack.

“It could be because there was concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising,” he continued, before adding one more disturbing theory why the agency disclosed the flaw to Microsoft.

“It just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”

Former director of the US Department of Homeland Security’s National Cyber Security Division and now CEO of cybersecurity firm Tenable, Amit Yoran, also raised questions about how the vulnerability was discovered and why it was disclosed.

“For the US Government to share its discovery of a critical vulnerability with a vendor is exceptionally rare if not unprecedented,” Mr Yoran said, adding the disclosure shows the level of concern over the vulnerability.

“The fact that Microsoft provided a fix in advance to US Government and other customers which provide critical infrastructure is also highly unusual. These are clearly noteworthy shifts from regular practices and make this vulnerability worth paying attention to and also worth asking questions about.”

Mr Yoran said he wanted to know when the vulnerability was discovered and how quickly the NSA reported it, as well as whether it had been used, but added organisations still needed to protect themselves by applying the patch.

Microsoft said in its security guidance that it hadn’t found any example of the vulnerability being exploited.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *