BUG ALERT: Microsoft and NSA Discover a Major Security Bug
- January 15, 2020
- Hiba Sulaiman
Microsoft has just released a security patch for a dangerous vulnerability that affects hundreds of millions of computers running Windows 10.
The vulnerability is known as CryptoAPI which was found in a decades-old Windows Cryptographic component. Among a range of functions, one allows developers to digitally sign their software, verifying the legitimacy of the software. But the bug may allow attackers to contaminate an apparently legitimate software with malicious content, putting vulnerable computers at risk.
Microsoft stated, “The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider”. However, the tech giant was firm that there was no evidence suggesting that the bug has been actively exploited by hackers. Microsoft classified the bug as “important”.
According to the NSA (National Security Agency), it found the vulnerability and turned over the details to Microsoft to fix the issue. NSA’s credibility was questioned again as it was before – two years ago when the spy agency found and used a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. NSA’s Director of Cybersecurity, Anne Neuberger, asserted that the vulnerability went through the VEP (Vulnerabilities Equities Process) as soon as it was discovered to decide on whether the government should retain control of it for its offensive security operations or it should be disclosed to Microsoft. Little is known if the NSA used the bug for offensive operations before it was reported to Microsoft.
Jake Williams, a former NSA hacker and founder of Rendition InfoSec said, “This one is a bug that would likely be easier for governments to use than the common hacker”. However, he also expressed his firm belief in the agency and said, “It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”
Microsoft kept a tight circle around the details of vulnerabilities. According to sources, only a few inside and outside the company – such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency – were fully aware of the existence of vulnerabilities.