The US National Security Agency (NSA) discovered a serious flaw in Windows 10 that could expose users to surveillance or serious data breaches, according to the Washington Post.
The bug is a problem for environments that rely on digital certificates to validate the software that machines run, a potentially far-reaching security issue if left unpatched. The NSA reported the flaw to Microsoft recently, and it’s recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers. Security reporter Brian Krebs first revealed the extent of the flaw yesterday, warning of potential issues with authentication on Windows desktops and servers.
In the past, the NSA might have kept the security hole to itself, using it to spy on adversaries. The best examples of that are WannaCry and EternalBlue, Windows 10 vulnerabilities discovered and exploited by the NSA for years. The agency developed hacking tools to exploit those holes, but some of them were uncovered and released by a suspected Russian hacking group called Shadow Brokers. EternalBlue is still used to this day on unpatched systems for ransomware, theft and other types of attacks.
The NSA confirmed that the vulnerability affects Windows 10 and Windows Server 2016. It said that it flagged the dangerous bug because it “makes trust vulnerable.” However, it wouldn’t say when it found the flaw and declined to discuss it further until Microsoft released a patch.
Microsoft is now patching Windows 10, Windows Server 2016, and Windows Server 2019. The software giant says it has not seen active exploitation of the flaw in the wild, and it has marked it as “important” and not the highest “critical” level that it uses for major security flaws. That’s not a reason to delay patching, though. Malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.