The Fort Meade, Maryland-based National Security Agencys cybersecurity work typically operates out of view. After all, it famously earned the nickname No Such Agency.

But this week, the NSA went public with a security flaw it found. The serious vulnerability was flagged in Microsoft products including Windows 10 and Server 16. The bug traces to a weakness in a cryptography function that verifies whether a system is downloading software that is legitimately from Microsoft.

You can use that weakness to make Windows [10] systems download and install software that appears to be coming from Microsoft that is not, said Edward Stanford, CTO of Columbia-based Zuul, which works with customers on certificate management and cryptography management for industrial controls and Internet of Things systems.

This could lead attackers to develop new exploits that take control of systems. The NSA alerted Microsoft to the vulnerability, and the company released a patch to fix systems. NSA then went public with a key message: Update systems with a patch.

This is bad, Stanford said. If you do it right then you can take over most networks or computers that are Windows-based. The faster they get patched, the less true that statement will be.

This could affect a broad group of systems, from personal laptops to corporate servers. But installing a patch on a home laptop is a fix on a different scale from making sure an entire companys network is protected.

Now that its a widely known exploit, everyones got to defend against it. Most home systems have an easy button, most corporate systems dont, Stanford said. However, he said of the company systems, that doesnt mean it cant be done.

Plenty of companies have been taking action, as well, including Columbia-based cybersecurity company Tenable,which works with released plugins to identify the vulnerability.

This vulnerability, and the attention its received from various government agencies, is unprecedented. It calls into question our very trust in todays digital world the trust that our encoded communications are secure, said Renaud Deraison, cofounder and CTO of Tenable, in a statement. We implore organizations to patch their systems immediately.

For NSA, the public announcement isnt unprecedented, but its also not a move thats made often. For one, that indicates the severity of the threat posed by the vulnerability. At the same time, Wired noted that its distinct from how the NSA approached a hacking tool known as EternalBlue, which also centered on a Microsoft vulnerability. In that case, NSA did not disclose the flaw publicly. This squares with actions of an intelligence agency looking to gain an edge on the cyber battlefield. But it was later leaked online, and used in attacks. Going forward, NSA Cybersecurity Directorate head Anne Neuberger told reporters this week that the agency will disclose more findings to the public.

Stanford said this weeks public disclosure shows a willingness by NSA to embrace another part of its mission: protecting the countrys infrastructure.

Im really glad they stepped up, saw a problem and helped everyone fix it, he said.

See original here:

NSA goes public with Windows security vulnerability - Technical.ly DC