Windows 10: NSA Reveals Major Flaw in Microsoft’s Code
January 15th, 2020Via: BBC:
The US National Security Agency (NSA) has discovered a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.
Microsoft has issued a patch and said it had seen no evidence of the bug being exploited by hackers.
The issue was revealed during an NSA press conference.
It was not clear how long it had known about it before revealing it to Microsoft.
Brian Krebs, the security expert who first reported the revelation, said the software giant had sent the patch to branches of the US military and other high-level users ahead of its wider release. It was, he wrote, “extraordinarily scary”.
The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.
It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.
The NSA’s director of cyber-security Anne Neuberger told reporters that the bug “makes trust vulnerable”.
She added that the agency had decided to make its involvement in the discovery public at Microsoft’s request.
The flaw is also an issue in Windows Server 2016 and 2019, but does not appear to affect older versions of the operating system.