Alert: new security failure in Windows 10

The United States National Security Agency (NSA) has discovered a bug in Windows 10 that can be used by computer intruders to create malicious software or malware that looks legitimate.

What is the problem?

The vulnerability is found in a decades-old cryptographic component of Windows, known as Cryptoapi. This component has a wide range of functions and one of them allows developers to digitally sign their software, demonstrating that it has not been altered. However, this newly detected bug may allow attackers to fake legitimate software, which could facilitate the execution of malicious software, such as ransomware, on a vulnerable computer.

"The user would have no way of knowing that the file is malicious, because the digital signature would appear to be from a reliable provider," Microsoft said.

CERT-CC, the vulnerability outreach center at Carnegie Mellon University, said the error can also be used to intercept and modify HTTPS (or TLS) communications.

According to the technology giant, they have found no evidence that such a security vulnerability has been actively exploited by attackers, classifying the issue as "important".

Which versions of Windows does it affect?

The security failure is a problem for environments that rely on digital certificates to validate the software running the machines and, logically, it is a potentially far-reaching security problem if not repaired.

The affected operating systems are: Windows 10, Windows Server 2016 and Windows Server 2019. The fact that this is a “major” vulnerability but not “critical” is no reason to delay the application of patches, since, inevitably, potential computer intruders will reverse engineer the solution to detect the bug and use it on systems not updated or patched with this bug.

"Vulnerability puts Windows endpoints at risk for a wide range of exploitation vectors," the NSA said in a statement. "The NSA assesses that vulnerability is severe and that the most sophisticated cyber actors will understand the underlying failure very quickly and, if exploited, will make the aforementioned platforms fundamentally vulnerable".

Is the patch available yet?

Microsoft has already released a patch that fixes this security bug. Some computers will receive the solution automatically, if they have the automatic update option enabled. Others can get it manually by going to Windows Update in your computer settings.

"We recommend that users install the patch immediately," said Anne Neuberger, head of the NSA’s cyber security directorate. The agency alerted Microsoft as soon as it discovered the security failure.

"Customers who have already applied the update, or have automatic updates enabled, are already protected," Jeff Jones, senior director of Microsoft, said in a statement. "As always, we encourage users to install all security updates as soon as possible".

It is unusual to see the NSA reporting such vulnerabilities directly to Microsoft, but it is not the first time that the government agency has done so.