Cybersecurity

CISA alerts on NSA-discovered Windows 10 flaw

enterprise security (Omelchenko/Shutterstock.com) 

The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a Man in the Middle attacker to spoof public key infrastructure certificates of trusted individuals.

Microsoft moved quickly to issue patches during its regular Patch Tuesday updates and the Cybersecurity and Infrastructure Security Agency issued an emergency directive the same day giving federal agencies 10 business days to ensure the patches are applied to "all affected endpoints on agency information systems" as well as new or existing disabled endpoints.

"Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers," the directive states. "Agencies should then apply the patch to the remaining endpoints."

Public Key Infrastructure is used to authenticate users and securely associate cryptographic keys with users and devices. Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

"It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus," the CISA directive states.

While cybersecurity experts are still debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.

"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency wrote in a cybersecurity directive released Tuesday.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • People
    Federal 100 logo

    Announcing the 2021 Federal 100 Award winners

    Meet the women and men being honored for their exceptional contributions to federal IT.

  • Comment
    Diverse Workforce (Image: Shutterstock)

    Who cares if you wear a hoodie or a suit? It’s the mission that matters most

    Responding to Steve Kelman's recent blog post, Alan Thomas shares the inside story on 18F's evolution.

Stay Connected