Critical Windows 10 security fix pushed out after NSA warns Microsoft of spying vulnerability

Graham Cluley
Graham Cluley
@[email protected]

Critical Windows 10 security fix pushed out after NSA warned Microsoft of critical vulnerability

Hundreds of millions of Windows 10 users are having an important patch rolled out to their computers today after Microsoft was warned by the NSA of a serious security hole in the operating system.

The fix comes as part of “Patch Tuesday”, Microsoft’s regular bundle of patches issued on the second Tuesday of every month, and addresses a dangerous vulnerability – dubbed unglamorously CVE-2020-0601 – in a component of Windows called CryptoAPI:

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

Sign up to our free newsletter.
Security news, advice, and tips.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The good news is that Microsoft says it has not seen any evidence that CVE-2020-0601 has been actively exploited by attackers.

However, it’s clear from public statements from the NSA that the update should be applied to vulnerable systems as a matter of priority.

What has perhaps given this security hole more attention than normal is that the NSA has publicly confirmed that it gave Microsoft details of the vulnerability, so that it could be patched.

Memorably, the NSA also told Microsoft about an exploit in Windows SMB, codenamed “Eternal Blue”. Despite Microsoft rolling out a patch for that vulnerability, it was weaponised by the Wannacry ransomware and hit computers around the world, most notably at the UK’s National Health Service.

The twist in the tale with the Eternal Blue exploit is that it had actually been developed by the NSA itself, and used by them – one presumes – to spy on people and countries of interest. It was only when the code was stolen from the NSA by a group of hackers known as the Shadow Brokers, that the NSA realised the cat was out of the bag – and that it was in national security interests to share details with Microsoft and get a patch pushed out.

There’s no evidence that the NSA developed CVE-2020-0601 to spy on Windows 10 computers. All we know is that they uncovered the flaw, and decided to tell Microsoft.

So they’re either telling Microsoft out of the goodness of their hearts, with a desire to have a patch pushed out that protects hundreds of millions of users. Or they’re worried that someone else has developed the same exploit. Of course, it’s possible that both are true.

Coincidentally, today’s Patch Tuesday security updates from Microsoft are the last which cover the ageing Windows 7 operating system.

The NCSC, a division of GCHQ, Britain’s equivalent to the NSA, warned this week that users of Windows 7 should no longer use computers running the no-longer-supported operating system for online banking or other sensitive activities such as reading email.

If there’s any comfort to be had at all, it’s that Windows 7 is not vulnerable to the CVE-2020-0601 security flaw discovered by the NSA in Windows 10.

My advice? If Microsoft and the NSA are telling you to patch your Windows 10 computer, you should patch your Windows 10 computer. Pronto.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.