U.S. Intelligence Agency Finds Major Security Flaw in Windows 10; Microsoft Releases Fix

The National Security Agency (NSA) in the U.S. discovered a vulnerability in Microsoft’s Windows 10 OS and Server 2016/2019 that would have allowed threat actors to intercept secure communications. Microsoft has already released a security update to patch the cryptographic vulnerability in its products.

The vulnerability, CVE-2020-0601 affects Windows systems that establish secure network connections and apps that depend on Windows for trust functionality.

According to the NSA, “Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

SEE ALSO: Security Flaw Spotted In China’s TikTok App; Lets Hackers Access User Accounts Via Text Messages

The bug is in Microsoft’s CryptoAPI service that is used to secure apps by developers. The developers provide a cryptographic certificate that is used to establish trustworthiness as and when the Windows system checks the authenticity of an app. So the bug could be used by threat actors to get a trustworthy verification check for their programs that can then be used to remotely distribute malware and even access encrypted user data.

The agency reported the bug to Microsoft “quickly and responsibly”. NSA noted that the vulnerability should be quickly patched as it’s consequences would be “severe and widespread. Classifying the vulnerability as important, Microsoft pointed out in a blog post that they have not seen the use of this bug in recent attacks. Both NSA and Microsoft went public with the vulnerability on January 14 but didn’t say when the bug was found.

SEE ALSO: PayPal-owned Browser Extension Honey Was Deemed ‘A Security Risk’ By Amazon