The National Security Agency has recently discovered a severe flaw in Microsoft Windows that could be allowed hackers to compromise the latest version of Windows 10, which has taken 65.4% of desktop market share.
The flaw is specifically in Microsoft’s CryptoAPI, that could allow a hacker to pretend malware as legitimate software and also exploiting this vulnerability could allow an attacker to intercept and modify encrypted internet communications, according to a Carnegie Mellon University report
The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider
Microsoft
The vulnerability was listed as CVE-2020-0601. Microsoft has released a patch for Windows 10 and Windows Server 2019 yesterday as soon as NSA has reported about the flaw. Though it is very rare, it is very critical. NSA and Microsoft highly recommended updating their Windows to the latest versions.
National Security Agency said in a press to update their system to the latest version after the patch is issued as soon as possible though it can be easily understood by the government hired a hacker and can be used to spy on the users.
On Tuesday CISA has released an emergency directive ordering federal civilian agencies to apply the patch within 10 business days.
The decision to fix the flaw rather than use it as a weapon represents a victory for the NSA’s Cybersecurity Directorate, recently launched department charged with the agency’s cyber defense mission.
When the new cybersecurity directorate was first stood up, we noted we wanted to do things differently. We want a new approach to sharing, to build trust with the cybersecurity community. This is one key aspect of that.
Said Anne Neuberger, the director of the department.
Although Microsoft has issued the official update it would take a long time for the update to take effect likewise EternalBlue was exploited after one month of issuing the update which was used in one of the biggest hacking attacks WannaCry Ransomware campaign.
Neither NSA nor Microsoft has seen the exploit for the vulnerability.