NSA Discovers Windows Vulnerability — and Tells Microsoft

The National Security Agency (NSA) discovered a vulnerability in versions of Windows and, instead of retaining it, reported it to Microsoft, which is now patching the flaw in its handling of certificate and cryptographic messaging functions. The vulnerability could have enabled attackers to use malicious code that would pretend to be legitimate software. Microsoft also warned all current users of Windows 7 Home Basic, Home Premium, Professional or Ultimate to upgrade immediately.

The Verge reports Microsoft is “recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers.” The company, which is “now patching Windows 10, Windows Server 2016, and Windows Server 2019,” hadn’t initially marked this flaw as its highest “critical” level. The NSA, however, warned that “malicious actors will inevitably reverse-engineer the fix to discover the flaw and use it on unpatched systems.”

The Verge notes that, “it’s unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it’s not the first time the government agency has done so.” But, it adds, “this is the first time the NSA has accepted attribution from Microsoft for a vulnerability report.”

The Wall Street Journal reports that, “in a sign of how severe officials considered the flaw, the Department of Homeland Security (DHS) issued an emergency directive on Tuesday instructing federal agencies to take a series of steps to apply patches to their systems immediately.” The department will also call private industry partners, said DHS senior official Bryan Ware.

According to WSJ, “NSA hackers often uncover errors in major software that can be exploited for malicious use … [and it] sometimes retains and weaponizes them for offensive use, such as to spy on a hostile foreign military’s communications.” That backfired in 2017, when stolen NSA hacking tools “were leaked online [and] contributed to a global cyberattack involving a Windows flaw.”

The Trump administration published a document listing “guidelines for when the government would disclose the discovery of such flaws and when to keep them secret for possible use in future offensive actions.”

Forbes reports that, “Microsoft has started sending strongly worded, full screen upgrade warnings to all Windows 7 Home Basic, Home Premium, Professional or Ultimate users,” noting that support for Windows 7 ended on January 14, 2020. “These threats are very real and the lack of any future updates means Windows 7 is now the number one target for hackers worldwide,” says Forbes, which adds that, “all Windows 7 users with a genuine license key can still upgrade to Windows 10 for free.”