Today is the final day for public security updates for Windows 7. It is also the day when, as security writer Brian Krebs reports, the U.S. National Security Agency (NSA) decided to “Turn a New Leaf” and play the more traditional role of vulnerability reporter to a vendor and get credit for it. Specifically, the NSA is reported to have disclosed CVE-2020-0601, a critical vulnerability Microsoft is patching today that affects cryptography in Windows 10 and Windows Server 2016. Update: The NSA released an official advisory Tuesday about the vulnerability.
Ironically, on this last day of security updates for Windows 7, the retiring operating system is unaffected by this vulnerability, possibly one of the most significant in a while.
It’s significant on its technical merits, making it possible for someone to create a spoofed code-signing certificate. This means someone can make malicious code look like it’s legitimate, trusted code. There’s also a risk that this could be used for “man-in-the-middle” (MitM) attacks. Essentially these are attacks where an attacker is able to “listen in” on network traffic that people believe is encrypted.
The vulnerability is more significant, though, because of who found it and how it’s been handled. This is the first vulnerability that the NSA has found, brought to the vendor, and been publicly acknowledged as the “finder.” This is significant and represents a significant act by the NSA of “getting right” with the security research community and its practices.
Microsoft President Brad Smith, in his call for a “Digital Geneva Convention” said governments “should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
The computer worm Stuxnet, exploiting a Windows vulnerability, was believed to be the work of U.S. and Israeli intelligence agencies.
Today’s action by the NSA, and the agency’s choice to call this approach “Turning a New Leaf,” would seem to indicate that the U.S. government is at least somewhat tacitly endorsing this approach. Only the future will show if this trend continues, but it is a promising start.
Krebs noted the NSA recommended what amounts to a triage approach if organizations can’t patch widely quickly. Specifically, they suggested prioritizing critical, more exposed systems like those that that do TLS validation, domain controllers, DNS servers or VPN servers. By targeting these first, organizations can minimize their risk and exposure. These are solid recommendations.
Also, a source at Microsoft notes that Windows Defender has great coverage on this vulnerability, meaning that there are already protections in place in the operating system to protect against attempts to attack this vulnerability.