Microsoft is patching a serious flaw in various versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows. The flaw, which hasn’t been marked critical by Microsoft, could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.
The bug is a problem for environments that rely on digital certificates to validate the software that machines run, a potentially far-reaching security issue if left unpatched. The NSA reported the flaw to Microsoft recently, and it’s recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers. Security reporter Brian Krebs first revealed the extent of the flaw yesterday, warning of potential issues with authentication on Windows desktops and servers.
Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019. The software giant says it has not seen active exploitation of the flaw in the wild, and it has marked it as “important” and not the highest “critical” level that it uses for major security flaws. That’s not a reason to delay patching, though. Malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.
The NSA warns of exactly that in its own advisory, and suggests that this is a major vulnerability despite Microsoft not marking it as critical. “The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors,” says an NSA statement. “NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.”
It’s unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it’s not the first time the government agency has done so. This is the first time the NSA has accepted attribution from Microsoft for a vulnerability report, though. Krebs claims it’s part of a new initiative to make the agency’s research available to software vendors and the public.
A previous NSA exploit targeting Windows’ file-sharing protocol, dubbed EternalBlue, leaked two years ago and caused widespread damage. It led to WannaCry ransomware and other variants locking up computers from the UK’s National Health Service to the Russian Ministry of the Interior. Microsoft was forced to issue an emergency patch for Windows XP, even though the operating system had reached end of support.
Update, January 14th 2PM ET: Article updated with statement from the NSA.