The flaw is specifically in Microsoft's CryptoAPI service, which helps developers cryptographically "sign" software and data or generate digital certificates used in authentication—all to prove trustworthiness and validity when Windows checks for it on users' devices. An attacker could potentially exploit the bug to undermine crucial protections, and ultimately take control of victim devices."Think of signing malware as if it's trusted by Microsoft or intercepting encrypted web traffic," says David Kennedy, CEO of the corporate security evaluation firm TrustedSec, who formerly worked at the NSA. "That would completely evade so many protections."
As researchers and cyber criminals alike study the vulnerability and rush to develop a hacking tool that takes advantage of it, the scale of the risk to users will become more clear. But a flaw in a crucial cryptographic component of Windows is certainly problematic, especially given that Windows 10 is the most-used operating system in the world, installed on more than 900 million PCs."This is a core, low-level piece of the Windows operating system and one that establishes trust between administrators, regular users, and other computers on both the local network and the internet," says Kenn White, security principal at MongoDB and director of the Open Crypto Audit Project. "If the technology that ensures that trust is vulnerable, there could be catastrophic consequences. But precisely what scenarios and preconditions are required—we're still analyzing. It will be a long day for a lot of Windows administrators around the world."
The NSA's decision to share the vulnerability brings to mind the NSA hacking tool known as Eternal Blue , which exploited a Windows bug patched in early 2017. That flaw was present in all versions of Windows available at the time, and the NSA had known about the bug—and exploited it for digital espionage—for more than five years. Eventually, the NSA lost control of Eternal Blue; a few weeks after Microsoft issued a fix, a mysterious hacking group known as the Shadow Brokers leaked the tool online . Criminals and nation state hackers alike had a field day with the tool, as Windows machines around the world slowly got around to patching.
Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described.
The Windows 10 validation bug may be the NSA's attempt to avoid a similar debacle. And unlike Eternal Blue, Neuberger made a point to say that the agency had not used the exploit itself.In fact, Neuberger said that disclosing the code verification bug to Microsoft and the public is part of a new NSA initiative in which the agency will share its vulnerability findings more quickly and more often. The effort will work alongside the existing Vulnerability Equities Process run by the National Security Council, which weighs the national security importance of keeping hacking tools secret versus disclosing vulnerabilities.
That's why the NSA didn't just disclose the vulnerability, but made its role public. "It’s hard for entities to trust that we indeed take this seriously," she said, "and [that] ensuring that vulnerabilities can be mitigated is an absolute priority."