Software Development

NSA goes public with Windows security vulnerability

The Fort Meade-based agency said it found a "serious vulnerability" in Windows 10, leading to development of a patch by Microsoft. Here's why that's significant in cybersecurity circles.

NSA headquarters at Fort Meade. (Photo via Wikimedia Commons)

The Fort Meade, Maryland-based National Security Agency’s cybersecurity work typically operates out of view. After all, it famously earned the nickname “No Such Agency.”

But this week, the NSA went public with a security flaw it found. The “serious vulnerability” was flagged in Microsoft products including Windows 10 and Server 16. The bug traces to a weakness in a cryptography function that verifies whether a system is downloading software that is legitimately from Microsoft.

“You can use that weakness to make Windows [10] systems download and install software that appears to be coming from Microsoft that is not,” said Edward Stanford, CTO of Columbia-based Zuul, which works with customers on certificate management and cryptography management for industrial controls and Internet of Things systems.

This could lead attackers to develop new exploits that take control of systems. The NSA alerted Microsoft to the vulnerability, and the company released a patch to fix systems. NSA then went public with a key message: Update systems with a patch.

“This is bad,” Stanford said. “If you do it right then you can take over most networks or computers that are Windows-based. The faster they get patched, the less true that statement will be.”

This could affect a broad group of systems, from personal laptops to corporate servers. But installing a patch on a home laptop is a fix on a different scale from making sure an entire company’s network is protected.

NSA went public with a key message: Update systems with a patch.

“Now that it’s a widely known exploit, everyone’s got to defend against it. Most home systems have an easy button, most corporate systems don’t,” Stanford said. However, he said of the company systems, “that doesn’t mean it can’t be done.”

Plenty of companies have been taking action, as well, including Columbia-based cybersecurity company Tenable, which works with released plugins to identify the vulnerability.

“This vulnerability, and the attention it’s received from various government agencies, is unprecedented. It calls into question our very trust in today’s digital world — the trust that our encoded communications are secure,” said Renaud Deraison, cofounder and CTO of Tenable, in a statement. “We implore organizations to patch their systems immediately.”

For NSA, the public announcement isn’t unprecedented, but it’s also not a move that’s made often. For one, that indicates the severity of the threat posed by the vulnerability. At the same time, Wired noted that it’s distinct from how the NSA approached a hacking tool known as EternalBlue, which also centered on a Microsoft vulnerability. In that case, NSA did not disclose the flaw publicly. This squares with actions of an intelligence agency looking to gain an edge on the cyber battlefield. But it was later leaked online, and used in attacks. Going forward, NSA Cybersecurity Directorate head Anne Neuberger told reporters this week that the agency will disclose more findings to the public.

Stanford said this week’s public disclosure shows a willingness by NSA to embrace another part of its mission: protecting the country’s infrastructure.

“I’m really glad they stepped up, saw a problem and helped everyone fix it,” he said.

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

3 ways to support our work:
  • Contribute to the Journalism Fund. Charitable giving ensures our information remains free and accessible for residents to discover workforce programs and entrepreneurship pathways. This includes philanthropic grants and individual tax-deductible donations from readers like you.
  • Use our Preferred Partners. Our directory of vetted providers offers high-quality recommendations for services our readers need, and each referral supports our journalism.
  • Use our services. If you need entrepreneurs and tech leaders to buy your services, are seeking technologists to hire or want more professionals to know about your ecosystem, Technical.ly has the biggest and most engaged audience in the mid-Atlantic. We help companies tell their stories and answer big questions to meet and serve our community.
The journalism fund Preferred partners Our services
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

The person charged in the UnitedHealthcare CEO shooting had a ton of tech connections

From rejection to innovation: How I built a tool to beat AI hiring algorithms at their own game

Where are the country’s most vibrant tech and startup communities?

The looming TikTok ban doesn’t strike financial fear into the hearts of creators — it’s community they’re worried about

Technically Media