#BugAlert: Critical security vulnerability flagged in Windows 10; update now
What's the story
After Firefox, Windows 10 has been plagued by a security vulnerability.
Though the OS hasn't had a smooth, bug-free run in a long time, the latest issue is a critical flaw, one that has been flagged by the National Security Agency (NSA) of US.
It even affects other iterations of Windows and needs to be patched immediately.
Here are the details.
Bug
Security flaw that could make malicious software look legitimate
While NSA is infamous for keeping critical vulnerabilities under the wraps so that they could be used for future intelligence needs, this time the agency reported the vulnerability to Microsoft.
In a press conference, it described the issue in question as a "serious vulnerability" that could be used by hackers to make malicious software, capable of spying, stealing files, look legitimate.
Quote
Here's what NSA said about the vulnerability
"The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable."
Details
What exactly was the issue?
The issue, as The Verge describes, ties to Windows' handling of certificate and cryptographic messaging functions and opens a way for a threat actor to spoof the digital signature of legit software.
This way, they could use the spoofed signature with a malicious program and trick machines that rely on digital signatures to verify software into believing that the malware-laced program is authentic.
Possibility
Ultimately, this could lead to major attacks
By making malicious software look authentic, an attacker could carry out 'man-in-the-middle' attacks, Microsoft said.
The company didn't classify the issue as a 'critical' level problem but said if it had been exploited, an attacker would have been able to decrypt confidential information on user connections to the malicious software in question.
Notably, it emphasized that there's no evidence that anyone exploited the vulnerability.
Fix
Fix now rolling out for different versions of Windows
The Redmond giant is now releasing a patch to fix the issue on Windows Server 2016, Windows Server 2019, and Windows 10, which is used by more than 400 million people, according to stats from 2017.
"Customers who have already applied the update, or have automatic updates enabled, are already protected," said Jeff Jones, a senior director at Microsoft, stated.