Flaw could have undermined a key trust mechanism, and spy agency took unusually public step to point it out
What happened?
The U.S. National Security Agency discovered a major security flaw in Microsoft’s Windows 10 operating system, and tipped off the company. Microsoft made a software patch to fix it, and credited the agency for finding the flaw.
Why was that such a big deal?
Two reasons. First, an attacker could have exploited the vulnerability by “spoofing” a code-signing certificate – counterfeiting a key trust mechanism – so it looked like a file came from a trusted source. The company said “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
Second, the NSA chose to publicly reveal the vulnerability to the world’s largest software maker rather than exploit the flaw in order to gather intelligence about threats to the United States. The spy agency said “NSA contributed to addressing this problem by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly.”
Luis Corrons, Avast’s security evangelist, said this combination of factors made the incident noteworthy. “The vulnerability was serious, and the NSA’s statement was unusual in its transparency. Combining those two things makes for a big story. Frankly, this is how things are supposed to work. The public has a right to know and a need to understand this kind of risk – and what government and companies do to counter it.”
"Frankly, this is how things are supposed to work. The public has a right to know and a need to understand this kind of risk – and what government and companies do to counter it.” – Luis Corrons, Avast’s security evangelist
Is this different from past NSA procedures?
Yes. Experts say this is likely a reflection of changes made in 2017 to put more emphasis on disclosing vulnerabilities to protect core internet systems. Those changes happened in 2017 after trust in the NSA was damaged when a hacking group released high-level hacking tools that had been stolen from the NSA. This release of tools forced companies including Microsoft to repair their systems.
Did Microsoft say the vulnerability was not as significant as NSA claimed?
No, but the software maker did rate the flaw as “important,” rather than “critical,” noting that it has not been exploited as far as the company knows. NSA said “This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the internet operates.” Some say this was a discrepancy between the two organizations, others noted that Microsoft has classified other major threats as only “important.”
What should I do?
You should always install operating system updates to ensure your computer has the latest software and security. Microsoft has guidance on how to check if your computer is up-to-date and how to set it to receive automatic updates. The NSA has guidance for system administrators responding to this specific threat to Windows 10.
If you do not currently use an antivirus, take this opportunity to check out Avast Free Antivirus, the only award-winning free antivirus strong enough to protect a global community of hundreds of millions of users. And see how Avast stacks up to the competition in this comparison of best free antivirus software.