Author Topic: Microsoft Issues Critical Windows Security Fix after Tip-Off from U.S. NSA  (Read 490 times)

Offline ipfd320

  • Skywarn Spotter
  • Licensed Amateur Radio Operator
  • ARES Operator
  • Posts: 5278







Microsoft Issues Critical Windows Security Fix after Tip-Off from U.S. NSA
Reuters
January 14, 2020, 5:58 PM UTC



WASHINGTON (Reuters) -
Microsoft Corp on Tuesday rolled out an important security fix after the U.S. National Security Agency tipped off the company to a serious flaw in its widely used Windows operating system, officials said.

Microsoft said the flaw could allow a hacker to forge digital certificates used by some versions of Windows to authenticate and secure data. Exploiting the flaw could have potentially serious consequences for Windows systems and users.

The NSA and Microsoft said they had not seen any evidence that the flaw had previously been abused but both urged Windows users to deploy the update as soon as possible. NSA official Anne Neuberger noted that operators of classified networks had already been prodded to install the update and everyone else should now "expedite the implementation of the patch."

The Microsoft patch marks the first time the NSA has publicly claimed credit for prompting a software security update, although the agency said it has alerted companies in the past to flaws in their products. Neuberger said the agency was striving for more transparency with the information security research community.

"Part of building trust is showing the data," she told reporters in a call just minutes before the patch went live.

The NSA faces a tricky balancing act when it comes across such vulnerabilities. The agency had been criticized after its own cyberspies took advantage of vulnerabilities in Microsoft products to deploy hacking tools against adversaries and kept the Redmond, Washington-based company in the dark about it for years.

When one such tool was dramatically leaked to the internet by a group calling itself ShadowBrokers, it was deployed against targets around the globe by hackers of all stripes.

In the most dramatic case, a group used the tool to unleash a massive malware outbreak dubbed WannaCry in 2017. The data-wiping worm wrought global havoc, affecting what Europol estimated https://www.reuters.com/article/us-cyber-attack-europol/cyber-attack-hits-200000-in-at-least-150-countries-europol-idUSKCN18A0FX was some 200,000 computers in more than 150 countries.

Neuberger did not directly address that controversy in her call but said that the NSA hoped to be "a good cybersecurity partner."

"We're working to evolve our mission," she said.


(Reporting by Raphael Satter; Editing by Richard Chang and David Gregorio)











GMRS--Wqtk-711
Ham Radio--N2ATP / AE
Martin County Skywarn Advanced
Martin County Ares/Races
Cpr-First Aid-Aed
FEMA/ICS-1/2/7/800-951 Radio Inter-Op Certified
Former Firefighter (Broad Channel / Island Park)

Offline ipfd320

  • Skywarn Spotter
  • Licensed Amateur Radio Operator
  • ARES Operator
  • Posts: 5278
Microsoft Issues Critical Windows Security Fix after Tip-Off from U.S. NSA
« Reply #1 on: January 15, 2020, 09:00:53 am »








Microsoft and NSA say a security bug affects millions of Windows 10 computers
Zack Whittaker
TechCrunch
January 14, 2020, 1:00 PM EST



Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as "important."

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars' worth of damage.

Anne Neuberger, NSA's director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It's not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

"It's encouraging to see such a critical vulnerability turned over to vendors rather than weaponized."

Neuberger confirmed Microsoft's findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was "encouraging" that the flaw was turned over "rather than weaponized."

"This one is a bug that would likely be easier for governments to use than the common hacker," he said. "This would have been an ideal exploit to couple with man in the middle network access."

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday's release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government's cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like "a skeleton key for bypassing any number of endpoint security controls," he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company's own servers, "hundreds of thousands" of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a "critical issue."

"Everyone should patch. Do not wait," he said.







GMRS--Wqtk-711
Ham Radio--N2ATP / AE
Martin County Skywarn Advanced
Martin County Ares/Races
Cpr-First Aid-Aed
FEMA/ICS-1/2/7/800-951 Radio Inter-Op Certified
Former Firefighter (Broad Channel / Island Park)

 



*CLICK THE W2LIE LINK TO ACCESS OUR LIVE FEED*
Long Island Scanner Feeds (www.w2lie.net)