If you’re running Windows 10 … well, you have my sympathy. But that aside, you need to patch your system NOW.
Last week’s Patch Tuesday contained a critical update to Windows 10 from none other than America’s spy-meisters, the NSA. It’s a zero-day exploit, meaning it wasn’t detected in the wild before the patch was release, but within 24 hours security researchers had working exploits, so you can be the bad guys did too.
The bug, flaw, oversight or deliberate omission, (more on that in a moment), is a critical vulnerability in the system’s cryptographic library that can make it appear files are coming from a legitimate, trusted source. Users have no way of knowing the files are malicious because the digital signature looks like they’re coming from a trusted provider.
The Microsoft advisory continues:
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.
In the words of security expert Bruce Schneier:
That’s really bad, and you should all patch your systems right now, before you finish reading this blog post.
The NSA security advisory goes into more detail than the Microsoft one, highlighting three possible attack vectors: (1) Executable code – the programs your computer runs, (2) Signed files and emails – messages and files from people you trust, like … um … Microsoft, and (3) HTTPS connections – your secure connections with the rest of the world, like your bank account, for example. Little wonder they say:
NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the … platform … fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
So patch your system now then come back and read the rest.
Flaw, oversight or deliberate omission?
The error is apparently so elementary that, according to several commentators, Microsoft had to violate an RFC in order to code it so badly. (RFCs are canonical internet standards documents used by the entire industry.) The actual RFC (RFC 5480, if you’re interested) spells it out quite clearly:
This choice MUST NOT be used.
But Microsoft used it.
And all the checkers and testers and security staff signing off on “the most secure Windows ever” missed it too.
Naturally, that’s led to questions about competence and trust and the NSAs role in the whole affair. Was it a deliberate bug introduced or insisted upon by the NSA itself in order to exploit foreign systems? Had “outside actors” recently discovered the flaw and started exploiting it, forcing the NSA to insist the loophole be closed? As Schneier himself notes:
Even assume that the NSA is using this vulnerability — why wouldn’t it?
One commenter to Schneier’s blog spotted an anomaly in the date stamp of the PDF file name from the NSA. You’ll see it’s called CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
… and yes, that date of 2019 01 14 in the file name is most likely not a typo, since we’re talking about NSA here… they don’t do this type of typos [sic] when reporting bugs to Microsoft, reviewed and validated by at least 3…5 people.
There’s another interesting coincidence in the timing of all this. The critical Windows 10 patch was issued on January 14, the very last day of official security updates for Windows 7. Windows 7 is now officially retired, despite recent estimates showing it’s still in use on around 200 million PCs worldwide. What’s more, it appears Win 7 is not vulnerable to this exploit. Was the timing intended to push the holdouts to upgrade to Windows 10 in the hope of getting a patch they don’t need?
Whoa, I’m going to stop there before I get sucked into a conspiracy spiral. I’ll just leave you with the words of another commenter on Schneier’s post:
What did the NSA embed inside the so-called fix?