Microsoft released a patch for Windows 10 and Server 2016 today after the National Security Agency found and disclosed a serious vulnerability. It's a rare but not unprecedented tip-off, one that underscores the flaw's severity—and maybe hints at new priorities for the NSA.That's a good thing that the NSA found a severe flaw and then alerted Microsoft so they could patch it.
The bug is in Windows' mechanism for confirming the legitimacy of software or establishing secure web connections. If the verification check itself isn't trustworthy, attackers can exploit that fact to remotely distribute malware or intercept sensitive data.
"[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing," Anne Neuberger, head of the NSA's Cybersecurity Directorate, said on a call with reporters on Tuesday. "When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it."
The flaw is specifically in Microsoft's CryptoAPI service, which helps developers cryptographically "sign" software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users' devices. An attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices.
Which leads to wondering what flaws exist that the NSA would rather exploit than help fix.
Anyhoo, if you're running a Windows 10 computer, you need to run Windows Update as soon as you can.
2 comments:
Got mine last night, thank you.
-Doug in Oakland
Get ubuntu or linux Mint. So smooth, so creamy. Applications and updates and operating system always free-free as in speech and free as in beer. Does not phone home to any TLA (telemetry, spyware) as Win does. Inherent security both by design and by obscurity. Works well as a virtual OS inside Win. Dump MS.
Post a Comment