Microsoft released a patch for Windows 10 and Server 2016 today after the National Security Agency found and disclosed a serious vulnerability. It’s a rare but not unprecedented tip-off, one that underscores the flaw’s severity—and maybe hints at new priorities for the NSA.
The bug is in Windows’ mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself isn’t trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data.
“[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing,” Anne Neuberger, head of the NSA’s Cybersecurity Directorate, said on a call with reporters on Tuesday. “When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it.”
The flaw is specifically in Microsoft’s CryptoAPI service, which helps developers cryptographically “sign” software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users’ devices. An attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices.
“Think of signing malware as if it’s trusted by Microsoft or intercepting encrypted web traffic,” says David Kennedy, CEO of the corporate security evaluation firm TrustedSec, who formerly worked at the NSA. “That would completely evade so many protections.”
As researchers and cyber criminals alike study the vulnerability and rush to develop a hacking tool that takes advantage of it, the scale of the risk to users will become more clear. But a flaw in a crucial cryptographic component of Windows is certainly problematic, especially given that Windows 10 is the most-used operating system in the world, installed on more than 900 million PCs.
“This is a core, low-level piece of the Windows operating system and one that establishes trust between administrators, regular users, and other computers on both the local network and the internet,” says Kenn White, security principal at MongoDB and director of the Open Crypto Audit Project. “If the technology that ensures that trust is vulnerable, there could be catastrophic consequences. But precisely what scenarios and preconditions are required—we’re still analyzing. It will be a long day for a lot of Windows administrators around the world.”
The NSA’s decision to share the vulnerability brings to mind the NSA hacking tool known as Eternal Blue, which exploited a Windows bug patched in early 2017. That flaw was present in all versions of Windows available at the time, and the NSA had known about the bug—and exploited it for digital espionage—for more than five years. Eventually, the NSA lost control of Eternal Blue; a few weeks after Microsoft issued a fix, a mysterious hacking group known as the Shadow Brokers leaked the tool online. Criminals and nation state hackers alike had a field day with the tool, as Windows machines around the world slowly got around to patching.
The Windows 10 validation bug may be the NSA’s attempt to avoid a similar debacle. And unlike Eternal Blue, Neuberger made a point to say that the agency had not used the exploit itself.
In fact, Neuberger said that disclosing the code verification bug to Microsoft and the public is part of a new NSA initiative in which the agency will share its vulnerability findings more quickly and more often. The effort will work alongside the existing Vulnerability Equities Process run by the National Security Council, which weighs the national security importance of keeping hacking tools secret versus disclosing vulnerabilities.
That’s why the NSA didn’t just disclose the vulnerability, but made its role public. “It’s hard for entities to trust that we indeed take this seriously,” she said, “and [that] ensuring that vulnerabilities can be mitigated is an absolute priority.”