Critical Windows 10 Bug Needs Immediate Fix

John Lister's picture

The National Security Agency (NSA) has told Microsoft about a major Windows 10 bug which also affects Windows Server 2016 and 2019. A patch is already available and is a must install.

For the NSA to tell Microsoft about a Windows vulnerability and then discuss it publicly is relatively rare. In the past, the NSA has used such security flaws to take advantage of potential suspects, as part of its surveillance program.

In this case, the bug was so serious the NSA seems to have concluded any benefits it could gain itself would be more than wiped out by the threat to the general public (and US security) if it was exploited.

Hackers Could Gain Trust

The bug is part of a major Windows operating system component, namely CryptoAPI. It's a critical component used by software developers to digitally "sign" an application. This is done to prove that the software was created by the named authors, and that it hasn't been modified in any way by a third party.

Were cyber criminals to exploit the bug, they'd effectively be able to create malware and make Windows think it was genuine software from a trusted source.

In doing so, it would have also been possible for hackers could intercept and decrypt data sent over the Internet. One security expert quoted by Wired said an exploit could have "catastrophic consequences." (Source: wired.com)

Right now there's no sign of anyone actively exploiting the vulnerability, but it's likely to be an immediate priority for hackers to target.

Microsoft has released a patch, detailed on its CVE-2020-0601 page. It should be installed automatically through Windows Update, but users who install updates manually should make this a priority. (Source: pcworld.com)

NSA Touts Own Openness

It's notable that the NSA didn't just tell Microsoft about the bug, but publicly took the credit for doing so. That's likely a way to gain credibility for recent commitments to weigh the NSA's tactical advantages against the public interest when deciding how to handle such discoveries.

That move followed an embarrassing situation in 2017 when a bug the NSA had been secretly exploiting for five years became known to hackers.

What's Your Opinion?

Is it legitimate for the NSA to keep some security bugs quiet so it can exploit them? When should it tell software companies about such bugs? Should Microsoft put pressure on the security services to be more open about bugs they spot?

Rate this article: 
Average: 4.8 (9 votes)

Comments

matt_2058's picture

I noticed the update had a date of 13Jan2020. Has anyone had any problems with the update available through the link?

Most times, I give it a week or so to see if the update has issues. No sense piling it on if there are problems.

buzzallnight's picture

NO!!!!!!!!

Should Microsoft put pressure on the security services to be more open about bugs they spot?

They can't, only our government can, but our government should!!!!!!!!!!!!!

We really don't need 17 "intelligence" agencies and over half of them should be eliminated.

Is it just me or is it just totally unacceptable that all the flaws in Win 7 cannot be fixed in 10 years?

There should not be any security holes in an operating system, not even 1!

So then they say,
well you need a more modern operating system
and then we see
"Critical Windows 10 Bug Needs Immediate Fix"!!!!!!!!!!!!!!!

Win 10 has been our for four years!!!!!!!!!!!!

Why does the NSA have better programmers than M$???????????
They wrote the dam operating system!!!!!!!!!