CISA alerts on NSA-discovered Windows 10 flaw

Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

enterprise security (Omelchenko/Shutterstock.com)
 

The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a Man in the Middle attacker to spoof public key infrastructure certificates of trusted individuals.

Microsoft moved quickly to issue patches during its regular Patch Tuesday updates and the Cybersecurity and Infrastructure Security Agency issued an emergency directive the same day giving federal agencies 10 business days to ensure the patches are applied to "all affected endpoints on agency information systems" as well as new or existing disabled endpoints.

"Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers," the directive states. "Agencies should then apply the patch to the remaining endpoints."

Public Key Infrastructure is used to authenticate users and securely associate cryptographic keys with users and devices. Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

"It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus," the CISA directive states.

While cybersecurity experts are still debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.

"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency wrote in a cybersecurity directive released Tuesday.