Microsoft has issued a patch for a severe vulnerability in Windows 10 and people should take action now to make sure their platforms are up to date. The vulnerability was discovered by the US National Security Agency (NSA), who held a press conference on Tuesday to highlight its severity and urge people to take immediate action.
What is it and what does it affect?
The vulnerability is in the Windows component crypt32.dll, which validates a program’s security certificate and gives permission for it to run executable code. If exploited, the vulnerability can approve a spoofed digital signature and allow malicious code to run – seemingly from a legitimate source. It affects Windows 10 and Windows Servers 2016/2019.
But there are further implications including a higher potential for man-in-the-middle attacks. This is when communications are intercepted by a third party, which can be used to perpetrate fraud or steal information. They’re most common when proper authentication processes aren’t in place, but the new vulnerability increases the risk as the digital signature is approved by Windows. As native Windows browsers, IE and Edge would also be affected and could redirect users to malicious content, which appears safe.
The role of the NSA
It’s rare for the NSA to publicly warn of a particular vulnerability, but not unheard of, as seen in last year’s concerns over BlueKeep. But in the past the agency hasn’t been so forthcoming. It has typically focused on creating useful exploits, such as EternalBlue, which was later leaked by hacker group the Shadow Brokers and used in both WannaCry and NotPetya, causing billions of pounds worth of damage across the globe. To add insult to injury, EternalBlue just won’t go away and regularly resurfaces – despite a patch having been available since 2017.
Keen to make amends and rebuild trust, the NSA have emphasised a change in their approach and shared information on the vulnerability.
Rickrolling is just the start
Less than 24 hours after the news of the vulnerability broke, security researchers have already produced exploits for it. One used it to Rickroll the NSA and Github websites and, worryingly, highlighted that it could be done in as little as 10 lines of code. While the researcher hasn’t published the code used, others have and it won’t be long before we see it used for malicious purposes.
“The flaw is specifically in Microsoft's CryptoAPI service, which helps developers cryptographically "sign" software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users' devices. An attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices.”