NSA: Windows 10 flaw threatens the foundations on which the Internet operates
Earlier today we wrote about a major vulnerability affecting Windows 10 and Server 2016 which was uncovered by the NSA who duly reported it to Microsoft.
At the time details on the vulnerability were scarce, but now that Microsoft has issued a fix for it as part of its Patch Tuesday updates, the NSA has revealed its worrying findings.
Neal Ziring, Technical Director - NSA Cybersecurity Directorate explains:
CVE-2020-0601 is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.
This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them? Fortunately, we can. CVE-2020-0601 reflects a weakness in the implementation of one subtle aspect of PKI certificate validation. The technology and standards are sound; it is one implementation that needs repair.
CVE-2020-0601 poses significant risk for enterprises and systems that depend on PKI for trust -- as all of us do. The patch is the only comprehensive means to mitigate the risk. While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable. It is critical for enterprises to apply the patch fully across their Windows 10 and Server 2016 installed base; attackers excel at finding vulnerable targets. Further details are available in the published NSA Cybersecurity Advisory; it offers guidance on prioritization and instrumentation.
This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the Internet operates -- and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations.
NSA contributed to addressing this problem by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly. The company has provided the solution, and now all of us need to adopt it.
Both the NSA and Microsoft stress that everyone needs to patch their systems as soon as possible.