NSA Sounds Alarm On Severe Microsoft Windows Security Flaw

The vulnerability discovered by the NSA allows an attacker to undermine how Windows 10 and Windows Server 2016/2019 verify cryptographic trust and then leverage the misplaced trust to compromise users.

The National Security Agency (NSA) recently took the unprecedented step of promptly alerting Microsoft to a flaw it spotted in the Windows 10 operating system.

The U.S. intelligence agency has historically opted to weaponize vulnerabilities discovered in a vendor’s software for offensive purposes, mostly notably when it exploited a Microsoft flaw for more than a half-decade by creating a hacking tool called Eternal Blue. But this time around, the NSA opted to promptly disclose the issue to Microsoft, making it possible for the vendor to expeditiously issue a patch.

“This is…a change in approach…by NSA of working to share, working to lean forward, and then working to really share the data as part of building trust,” NSA Cybersecurity Directorate Director Anne Neuberger is quoted as saying in the Washington Post.

[Related: Microsoft Issues Emergency Security Patch For Internet Explorer Flaw]

The vulnerability discovered by the NSA allows an attacker to undermine how Windows 10 and Windows Server 2016/2019 verify cryptographic trust. As a result, the NSA said adversaries are able to craft certificates that spoof trusted web sites, software companies or service providers and then leverage that trust to compromise users or services on vulnerable systems.

“Sophisticated cyber actors will understand the flaw very quickly and, if exploited, would render the previously mentioned platforms are fundamentally vulnerable,” the NSA said in a cybersecurity advisory Tuesday. “The consequences of not patching the vulnerability are severe and widespread.”

The security flaw leaves Windows vulnerable to a broad range of exploitation vectors, and the NSA expects remote exploitation tools to quickly become widely available. Rapid adoption of the patch on all Windows 10 and Windows Server 2016/2019 systems is the only known mitigation for the vulnerability, and the NSA recommended that network owners make that their primary focus.

“This vulnerability may not seem flashy, but it’s a critical issue,” Neal Ziring, technical director of the NSA’s Cybersecurity Directorate, wrote in a blog post. “Trust mechanisms are the foundations on which the Internet operates, and [this vulnerability] permits a sophisticated threat actor to subvert those very foundations.”

An attacker can exploit this vulnerability by using a spoofed code-signing certificate, Microsoft said, making it appear as if the file was from a trusted, legitimate source. Microsoft said the user would have no way of knowing the file was malicious since the signature would appear to be from a trusted provider.

In addition, Microsoft said a successful exploit would allow the attacker to conduct man-in-the-middle operations. Decrypting the confidential information would therefore be possible when a user is connected to the affected software, according to Microsoft.

Microsoft hasn’t identified any mitigation factors or workarounds for this vulnerability, and has classified the flaw as “exploitation more likely.” This means that Microsoft is both aware of past instances of this type of vulnerability being exploited and believes the exploit code could be created in a way that allows an attacker to consistently exploit this vulnerability.

If enterprise-wide, automated patching isn’t possible, the NSA recommends that system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Prioritization should also be given to endpoints that are more likely to be exploited due to their exposure to the internet or their regular use by privileged users, according to the NSA.

Although network devices and endpoint logging features can detect or prevent certain methods of exploitation, the NSA said the most effective mitigation is installing all patches. When possible, the NSA recommends applying patches to all affected endpoints rather than prioritizing specific classes of endpoints.