NSA discovers a serious flaw in Windows 10
The US National Security Agency (NSA) has discovered a major flaw in Windows 10 and Windows Server 2016 that could potentially expose users to "significant breaches or surveillance", according to the Washington Post.
In the past, the NSA might have simply weaponized the vulnerability, as it did by creating hacking tool EternalBlue, but this time around the organization instead chose to report the flaw to Microsoft, and a fix is expected to be issued as part of today’s Patch Tuesday updates.
According to Krebs on Security, "the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles 'certificate and cryptographic messaging functions in the CryptoAPI.' The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates."
The NSA’s Cybersecurity Directorate is expected to make an official announcement regarding the vulnerability once Microsoft’s patch rolls out, including revealing when the flaw was first discovered.
Microsoft for its part has said only that it does not discuss reported vulnerabilities prior to an update being made available (for obvious reasons).
Anyone on Windows 7 planning to upgrade to the "safer" Windows 10 might want to wait a day or two...