Cybersecurity

CISA alerts on NSA-discovered Windows 10 flaw

enterprise security (Omelchenko/Shutterstock.com) 

The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a Man in the Middle attacker to spoof public key infrastructure certificates of trusted individuals.

Microsoft moved quickly to issue patches during its regular Patch Tuesday updates and the Cybersecurity and Infrastructure Security Agency issued an emergency directive the same day giving federal agencies 10 business days to ensure the patches are applied to "all affected endpoints on agency information systems" as well as new or existing disabled endpoints.

"Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers," the directive states. "Agencies should then apply the patch to the remaining endpoints."

Public Key Infrastructure is used to authenticate users and securely associate cryptographic keys with users and devices. Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

"It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus," the CISA directive states.

While cybersecurity experts are still debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.

"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency wrote in a cybersecurity directive released Tuesday.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Veterans Affairs
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA health record go-live pushed back to July

    The Department of Veterans Affairs is delaying a planned initial deployment of its $16 billion electronic health record project by four months, but is promising added functionality at the go-live date.

  • Workforce
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    Esper says he didn't seek the authority to gut DOD unions

    Defense Secretary Mark Esper told lawmakers he was waiting for a staff analysis of a recent presidential memo before deciding whether to leverage new authority.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.