You may want to update all your Microsoft-related software ASAP. The National Security Agency — yes, the same NSA that Edward Snowden warned us about — reportedly alerted Microsoft that there’s a major flaw in the Windows operating system, a flaw that Microsoft has not confirmed that it’s directly addressed as of yet. Reportedly, it could affect the Windows 10 operating system, and the Windows Server 2016.
First reported by the Washington Post, Microsoft said in a statement to Digital Trends that it is “releasing this month’s update” at 10 a.m. PST on Tuesday, January 14, as part of a “regular Update Tuesday schedule.”
“We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities,” Microsoft senior director Jeff Jones said in an email to DT. “To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”
The NSA confirmed in a call to journalists this morning that it had alerted Microsoft to the problem, but did not respond to a further request for comment. In a statement released later in the day, the agency confirmed that Microsoft had released “several patches” and they urged everyone to install the updates, as the vulnerability in question was serious.
“NSA contributed to addressing this problem by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly,” the statement says. “The company has provided the solution, and now all of us need to adopt it.”
Journalist Brian Krebs reported that there’s been no active exploitation of this soft spot so far, but that apparently some government agencies got an “advance patch” for their systems.
NSA says they discovered the flaw on their own and that Microsoft will report that MS has seen no active exploitation of this vulnerability so far.
— briankrebs (@briankrebs) January 14, 2020
The discovery bares shades of the notorious NSA hacking tool “EternalBlue,” which the NSA used for years to spy on Microsoft systems until the Russians got a hold of it and published it online.
The vulnerability relates to a problem with digital signatures. The code in question reportedly has a flaw in the way it verified digital signatures, which would allow a hacker to potentially duplicate or forge the signature and breach the software from there.
The issue first came to light when security researcher Will Dormann tweeted on Monday that people should definitely update their Microsoft software when an update is available.
I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don't know… just call it a hunch?
¯_(ツ)_/¯— Will Dormann (@wdormann) January 13, 2020
This will, apparently, be part of a new initiative at the NSA that Krebs reported will be called “Turn a New Leaf”: an attempt to show a more public-service-y side to the NSA by making its vulnerability research available to the public, eventually.