Stefan Mileschin

Spotted by the NSA

Microsoft has patched a serious security vulnerability in a core cryptographic component present in all versions of Windows.

The vulnerability was spotted and reported by the NSA and affected encryption of digital signatures used to authenticate content, including software or files.

If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft.

The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the US tech arsenal but in this case, it was a little risky to allow that howler out in the wild.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available."

Jeff Jones, a senior director at Microsoft said in a statement: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft has not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

https://fudzilla.com/news/50120-micr...-in-windows-10