Why do experts value the intelligence of the NSA reporting Windows 10 vulnerabilities?
In January 2020, Microsoft distributed security patches to fix dangerous vulnerabilities affecting hundreds of millions of PCs running Windows 10. MicrosoftreportAccording to this vulnerability,CryptoAPIIt is said that it was discovered with the Windows API, but security experts pointed out that it was “ important point '' especially, “ The US intelligence agency reported the vulnerabilityU.S. National Security Agency (NSA)That was the point. "
Microsoft patches Windows 10 after NSA finds vulnerability
Microsoft patches Windows 10 security flaw discovered by the NSA-The Verge
Microsoft and NSA say a security bug affects millions of Windows 10 computers | TechCrunch
Using one of the features included in CryptoAPI, developers can digitally sign software to prove that the software has not been tampered with. However, when using the vulnerability of CryptoAPI announced by Microsoft this time, it can disguise the digital signature of the content including software and files and make dangerous content appear to be safe.
Microsoft said, “ Since the digital signature looks like a trusted provider, there is no way for the user to know that the file is malicious, '' exploiting vulnerabilities to exploit malicious such as ransomware May be able to run vulnerable software on vulnerable computers. Vulnerability Disclosure Center operated by Carnegie Mellon UniversityCERT-CCSaid that this vulnerabilityRecommendation"The exploitation of this vulnerability may allow HTTPS or TLS communications to be intercepted or modified."
On the other hand, security experts are also looking at the vulnerability from another perspective. Cyber security companyTenable“ Generally, patches that fix such vulnerabilities are always important, but they became even more important in that the NSA disclosed the vulnerability to Microsoft, '' said Satnam Narang, senior research engineer at "
The NSA is known to spend a lot of money developing malware and hacking tools, and without disclosing its own discovered vulnerabilities,Zero-day attackIt was also found that they had created a tool that enabled
by Ilya Pavlov
This case that the NSA reported the vulnerability discovered to Microsoft seems to be the NSA's attempt to break away from the past policy of “ hiding the discovered vulnerability and using it for their own activities '' Have been Former NSA hacker Jake Williams asserts, "This bug is easier for government agencies to use than a typical hacker. It was an ideal vulnerability for monitoring men on intermediate networks." We welcome the vulnerability we discovered and not shared with Microsoft, but with Microsoft.
It is not clear how long it took from the discovery of this vulnerability by the NSA until it was actually notified to Microsoft, but Microsoft told CNBC that “ the vulnerability was actually exploited. I have never done that. "
This is not the first time a government agency has reported a vulnerability to a company, but it is the first time that a vulnerability report has been attributed to the NSA. Security reporter Brian Krebs asserted that the NSA-Microsoft partnership is part of a new initiative to "make NSA research accessible to software vendors and the public."
Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed "Turn a New Leaf," aimed at making more of the agency's vulnerability research available to major software vendors and ultimately to the public.
— Briankrebs (@briankrebs) January 14, 2020
The NSA has announced its own(PDF file)RecommendationPointed out that this vulnerability is very dangerous. "This vulnerability puts Windows devices at risk of being exposed to a wide range of malicious vectors," he says.