Cybersecurity

CISA alerts on NSA-discovered Windows 10 flaw

enterprise security (Omelchenko/Shutterstock.com) 

The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a Man in the Middle attacker to spoof public key infrastructure certificates of trusted individuals.

Microsoft moved quickly to issue patches during its regular Patch Tuesday updates and the Cybersecurity and Infrastructure Security Agency issued an emergency directive the same day giving federal agencies 10 business days to ensure the patches are applied to "all affected endpoints on agency information systems" as well as new or existing disabled endpoints.

"Agencies should prioritize patching mission critical systems and High Value Assets (HVAs), internet-accessible systems, and servers," the directive states. "Agencies should then apply the patch to the remaining endpoints."

Public Key Infrastructure is used to authenticate users and securely associate cryptographic keys with users and devices. Attackers could use the vulnerability to trick users into installing "updates" from trusted parties that are actually malware.

"It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trustworthy organization, which may deceive users or thwart malware detection methods like anti-virus," the CISA directive states.

While cybersecurity experts are still debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.

"NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable," the agency wrote in a cybersecurity directive released Tuesday.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected