NSA hands serious flaw to Microsoft rather than use it

NSA data

Update your Windows 10 computers now — the latest set of patches from Microsoft includes one for a scary flaw that was handed over by the US National Security Agency (NSA).

Ahead of this month's Patch Tuesday, rumours swirled of a serious cryptographic flaw. Yesterday the source of the discovery was revealed to be the NSA, which not only spotted the vulnerability but handed it over to Microsoft rather than making use of it itself. That's a departure from how the NSA would normally treat such discoveries and indicates not only the seriousness of the bug but also a desire to "turn over a new leaf" and start sharing its research into security rather than undermining it for surveillance purposes.

Indeed, the NSA said it wasn't the first time it had reported a vulnerability to Microsoft, but it previously refused credit.

The serious flaw in Microsoft's CrytpoAPI could be used to spoof a code-signing certificate to digitally sign malicious code, making it look as though it was from a trusted source. "The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft notes in the security notice. "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software."

The NSA said that the flaw undermines trust in the widely used Public Key Infrastructure (PKI) and could impact everything from HTTPS connections and signed emails to signed code, across companies, home users and governments. "This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them. Fortunately, we can," Neal Ziring, Technical Director at the NSA Cybersecurity Directorate, said in a blogpost. "[The flaw] reflects a weakness in the implementation of one subtle aspect of PKI certificate validation. The technology and standards are sound; it is one implementation that needs repair."


Patch management best practices

Reduce your patch management workload


Thankfully, Microsoft and the NSA both said there was no evidence that the flaw had been spotted or used by hackers. "This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems," said Mechele Gruhn, Principal Security Program Manager at the Microsoft Security Research Centre, in a blog post. "This vulnerability is classed Important and we have not seen it used in active attacks."

However, now that the details are public, we can expect that to change. "The consequences of not patching the vulnerability are severe and widespread," the NSA said in a statement. "Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."

The flaw impacts Windows Server as well as Windows 10, which is used on 400 million computers globally — but the patch is already available as part of Microsoft's monthly updates. “Customers who have already applied the update, or have automatic updates enabled, are already protected,” said Jeff Jones, a senior director at Microsoft, in a statement.

Of course, patching takes time for larger organisations. The NSA recommended via a statement that companies prioritise endpoints that are essential or widely used, such as web servers or DNS servers, as well as those with a high risk of exploitation, in particular those directly exposed to the internet and those used by privileged accounts.

While the notification of the flaw by the NSA will be welcome to Microsoft and its users, whether this signals a new era of cooperation remains to be seen. Chris Morales, Head of Security Analytics at Vectra, notes that different motivations could be in play, regardless of the agency's plans to "turn over a new leaf". "Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting," he said. "I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past.

"It could be because many of those previous tools leaked and have caused widespread damage across multiple organisations," he said. "It could be because there was a concern other would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponising. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it."

If it is a sign of cooperation to come, then it's to be welcomed and shows how the government can help security, said Allan Liska, Senior Solutions Architect at Recorded Future. "This reporting is also likely a direct result of the revamped Vulnerability Equities Process (VEP) at NSA," he adds. "The goal of the revamped program is to prioritise public interest in reporting security flaws and protecting core systems and infrastructure. Certificate signing is critical to the trust of software applications in both the public and private sectors, so this reporting certainly meets the “critical” threshold." He noted it's not known how long the NSA has been aware of the vulnerability, but it was reported to Microsoft a few weeks ago.