Major Flaw In Microsoft Windows Revealed By NSA

Microsoft pushes out critical security fix, after tip off from the US National Security Agency about serious flaw in all versions of Windows

Microsoft has included in its Patch Tuesday security update for January a fix for a potentially critical vulnerability affecting all Windows machines.

What makes this unusual is that Microsoft was tipped off about the flaw by the US National Security Agency (NSA), which for the first time publicly took credit for finding and alerting Redmond to the vulnerability.

It comes as Microsoft officially pulled the plug on Windows 7 this week. While Windows 7 computers will still continue to function after Tuesday, they will no longer receive technical support, software updates or security fixes.

security vulnerability Shutterstock - © Andy Dean Photography

Extraordinarily serious

News of the serious flaw in Windows was first reported on by security researcher and journalist Brian Krebs, of KrebsOnSecurity.

It centres on a flaw in ‘a core cryptographic component present in all versions of Windows,’ namely a Windows component known as crypt32.dll.

This is a core Windows component that secures Windows, as it handles “certificate and cryptographic messaging functions in the CryptoAPI.”

To give an idea of how serious this is, the Microsoft CryptoAPI is said to provide services that enable developers to secure Windows-based applications using cryptography. It includes functionality for encrypting and decrypting data using digital certificates.

Krebs wrote his article prior to Microsoft posting its Patch Tuesday update.

“Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows,” wrote Krebs.

“Those sources say Microsoft has quietly shipped a patch for the bug to branches of the US military and to other high-value customers/targets that manage key Internet infrastructure, and that those organisations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020,” he wrote.

This component was introduced back in Windows NT (20 years ago) and has been in all versions of Windows ever since.

NSA warning

Krebs pointed out there had been rumblings in the security sector of a very serious flaw that was about to be revealed, prior to the Microsoft update.

He cited a tweet from Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), after he had tweeted that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?”

The flaw was then revealed in a NSA press conference on Tuesday when the Patch Tuesday update started rolling out.

It is not clear how long the NSA has known about the flaw, but the good news is that the flaw does not seem to be exploited in the wild (yet). But system admins are advised to apply the CVE-2020-0601 patch immediately.

The NSA’s director of cyber-security Anne Neuberger was quoted by the BBC as telling reporters that the bug “makes trust vulnerable”.

She added that the agency had decided to make its involvement in the discovery public at Microsoft’s request.

Expert reaction

Security experts were quick to warn about the dangers associated with this flaw.

“This is serious news, as the crypt32.dll is a module needed for securing the Microsoft Operating Systems,” explained Boris Cipot, senior security engineer at Synopsys.

“We still don’t know precisely what the bug is and how easily it could be exploited, as that hasn’t been fully disclosed yet, but there are some pointers online that can give us an idea,” he said. “We will be able to say more once the patch will be released.”

“Users are advised to apply the patch for the crypt23.dll as soon as an update is released,” said Cipot. “However, an issue remains for all the Windows 7 operating systems that are still in use, for which the support is ending today, 14th of January. It will be up to Microsoft to decide whether they will release a last patch, even after the software reached its end of life.”

“Importantly, users are also urged not to trust website or emails with links that offer patches for the crypot32.dll,” Cipot added. “Phishers prey on announcements of security flaws and design campaigns aimed at exploiting people’s desire to patch a vulnerability as soon as possible. It is important to use the official channels to update operating systems, in this case the Update and Security section in Windows’ 10 settings.”

Another expert also pointed out that this flaw should be prioritised by all system administrators.

“An attacker can perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software by using a spoofed code-signing certificate,” explained Jimmy Graham, senior director of product management at Qualys.

“Although Microsoft rated this as Important, NSA privately disclosed this vulnerability to Microsoft and should be prioritized on all systems,” said Graham. “NSA recommends installing the patch as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems.”

Do you know all about security? Try our quiz!