You are using an older browser version. Please use a supported version for the best MSN experience.

Microsoft patches Windows 10 security flaw discovered by the NSA

The Verge logo The Verge 4 days ago Tom Warren
a close up of text on a white surface © Illustration by Alex Castro / The Verge

Microsoft is patching a serious flaw in various versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows. The flaw, which hasn’t been marked critical by Microsoft, could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.

The bug is a problem for environments that rely on digital certificates to validate the software that machines run, a potentially far-reaching security issue if left unpatched. The NSA reported the flaw to Microsoft recently, and it’s recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers. Security reporter Brian Krebs first revealed the extent of the flaw yesterday, warning of potential issues with authentication on Windows desktops and servers.

Microsoft has released patches for affected Windows versions

Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019. The software giant says it has not seen active exploitation of the flaw in the wild, and it has marked it as “important” and not the highest “critical” level that it uses for major security flaws. That’s not a reason to delay patching, though. Malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.

It’s unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it’s not the first time the government agency has done so. This is the first time the NSA has accepted attribution from Microsoft for a vulnerability report, though. Krebs claims it’s part of a new initiative to make the agency’s research available to software vendors and the public.

A previous NSA exploit targeting Windows’ file-sharing protocol, dubbed EternalBlue, leaked two years ago and caused widespread damage. It led to WannaCry ransomware and other variants locking up computers from the UK’s National Health Service to the Russian Ministry of the Interior. Microsoft was forced to issue an emergency patch for Windows XP, even though the operating system had reached end of support.


More From The Verge

image beaconimage beaconimage beacon