Cybersecurity

CISA alerts on NSA-discovered Windows 10 flaw

enterprise security (Omelchenko/Shutterstock.com) 

The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a Man in the Middle attacker to spoof public key infrastructure certificates of trusted individuals.

Microsoft moved quickly to issue patches during its regular Patch Tuesday updates and the Cybersecurity and Infrastructure Security Agency issued an emergency directive the same day giving federal agencies 10 business days to ensure the patches are applied to "all affected endpoints on agency information systems" as well as new or existing disabled endpoints.

"Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers," the directive states. "Agencies should then apply the patch to the remaining endpoints."

Public Key Infrastructure is used to authenticate users and securely associate cryptographic keys with users and devices. Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

"It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus," the CISA directive states.

While cybersecurity experts are still debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.

"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency wrote in a cybersecurity directive released Tuesday.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected