NSA alerted Microsoft to major Windows 10 security flaw

The National Security Agency recently alerted Microsoft to a major flaw in its Windows operating system that could let hackers pose as legitimate software co...

Posted: Jan 14, 2020 6:28 PM
Updated: Jan 15, 2020 10:15 PM

The National Security Agency recently alerted Microsoft to a major flaw in its Windows operating system that could let hackers pose as legitimate software companies, agency officials said on Tuesday.

Microsoft issued a software update on Tuesday to fix the vulnerability, as part of its normal schedule for releasing software patches.

News of the vulnerability and patch were first reported by independent journalist Brian Krebs, who said Microsoft provided its software fix to the military and key infrastructure companies ahead of Tuesday's public release.

Microsoft said in a statement Monday night that it provides advance versions of its updates to some users under a special testing program. Jeff Jones, a senior director at Microsoft, declined to discuss specifics of the flaw 'to prevent unnecessary risk to customers.'

The company did not immediately respond to a request for comment on Tuesday.

The NSA's rare announcement of the flaw, along with its decision to warn Microsoft rather than exploit the bug for intelligence purposes, underscores the magnitude of the threat it could pose to businesses, consumers and government agencies worldwide.

The NSA said that, while it has shared vulnerability information with the private sector in the past, this marks the first time that it has come forward publicly to do so. The agency said the decision reflects an effort to build trust with cybersecurity researchers.

'Part of building trust is showing the data,' Anne Neuberger, the NSA's director of cybersecurity, told reporters on a conference call Tuesday. Because the NSA has never allowed itself to be linked to a vulnerability disclosure, she said, 'it's hard for entities to trust that we take this seriously. And ensuring vulnerabilities can be mitigated is an absolute priority.'

The NSA did not use the vulnerability to exploit adversaries, and the bug was turned over to Microsoft as soon as it was discovered, Neuberger added. She said the NSA has not detected any other entities using the bug.

The Department of Homeland Security said on the call that it would issue a bulletin to federal agencies advising them to install the Microsoft patches immediately.

The flaw concerns a core Windows function that verifies the legitimacy of apps and programs, a feature known as CryptoAPI.

'It's the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,' said Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission.

By compromising that validation feature, hackers could easily impersonate 'good' software companies to install bad software, Soltani said, potentially allowing them to spy on computer users or hold their devices hostage for ransom.

Indiana Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 47432

Reported Deaths: 2687
CountyConfirmedDeaths
Marion11546683
Lake5104242
Elkhart321144
Allen2737129
St. Joseph190866
Cass16389
Hamilton1538100
Hendricks1390100
Johnson1256118
Porter72037
Tippecanoe6948
Madison65564
Clark64044
Bartholomew58244
Howard56557
LaPorte56326
Kosciusko5354
Vanderburgh5026
Marshall4823
Jackson4693
Noble46928
LaGrange4677
Hancock44035
Boone43743
Delaware43150
Shelby42325
Floyd37144
Morgan32731
Montgomery29320
Grant29126
Clinton2882
Monroe27628
Dubois2666
White26010
Henry25815
Decatur24932
Lawrence24225
Vigo2318
Dearborn22823
Harrison21222
Warrick21229
Greene18532
Miami1822
Jennings17411
Putnam1688
DeKalb1604
Scott1607
Daviess14216
Orange13623
Wayne1366
Steuben1282
Perry1279
Franklin1248
Ripley1157
Jasper1142
Wabash1122
Carroll1102
Fayette987
Newton9810
Starke923
Whitley905
Randolph784
Huntington742
Jefferson722
Wells711
Fulton691
Jay680
Washington681
Gibson672
Knox640
Pulaski641
Clay604
Rush563
Adams501
Benton480
Owen471
Sullivan441
Brown381
Posey380
Blackford372
Spencer371
Crawford300
Fountain302
Tipton301
Switzerland260
Martin220
Parke220
Ohio140
Vermillion140
Warren141
Union130
Pike100
Unassigned0193

Ohio Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 56183

Reported Deaths: 2907
CountyConfirmedDeaths
Franklin10023420
Cuyahoga7571372
Hamilton5770197
Marion273038
Lucas2700302
Pickaway218841
Summit2110206
Montgomery193126
Mahoning1818231
Butler154744
Columbiana129560
Stark1091112
Lorain99767
Trumbull92565
Warren82321
Clark7659
Delaware55315
Belmont54422
Fairfield54316
Tuscarawas54110
Medina50832
Lake49218
Licking46612
Miami45531
Portage43258
Ashtabula43144
Wood41251
Geauga40042
Clermont3946
Wayne36051
Richland3325
Allen30840
Mercer2808
Greene2489
Darke24625
Erie23622
Holmes2263
Huron2112
Madison1938
Ottawa14323
Crawford1355
Washington13120
Putnam12715
Sandusky12714
Hardin12012
Ross1183
Morrow1161
Auglaize1064
Coshocton942
Monroe8817
Jefferson872
Union821
Muskingum811
Hancock781
Hocking788
Preble731
Williams692
Clinton680
Guernsey683
Lawrence680
Shelby654
Fulton610
Ashland581
Carroll583
Logan581
Wyandot586
Brown561
Defiance503
Athens491
Knox481
Fayette460
Highland441
Champaign391
Scioto380
Van Wert340
Seneca332
Perry321
Henry290
Adams231
Paulding230
Pike230
Jackson220
Vinton222
Gallia161
Harrison121
Meigs120
Morgan110
Noble110
Unassigned00
Fort Wayne
Clear
81° wxIcon
Hi: 92° Lo: 68°
Feels Like: 81°
Angola
Clear
79° wxIcon
Hi: 90° Lo: 68°
Feels Like: 80°
Huntington
Clear
78° wxIcon
Hi: 90° Lo: 68°
Feels Like: 80°
Decatur
Clear
81° wxIcon
Hi: 92° Lo: 69°
Feels Like: 81°
Van Wert
Clear
81° wxIcon
Hi: 92° Lo: 67°
Feels Like: 81°
More Heat & Humidity Sunday
WFFT Radar
WFFT Temperatures
WFFT National

Community Events