The US National Security Service (NSA) has discovered a serious security problem in Windows 10, which could be used by hackers for creating malicious software that, at a first glance, looks legitimate. Microsoft released a patch and pointed out that no evidence has been seen that the bug was actually used by a hacker. According to the BBC, the whole matter became known at the NSA Press Conference. It is not clear how long the NSA knew about the existence of this issue before it was revealed to Microsoft. Brian Krebs, a security expert who first mentioned the discovery, said the software giant had sent the patch to US armed forces and other high-level users in view of its release. As he wrote, it was “unusually scary”. The problem occurs in a key piece of Windows, known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates used as “signatures” on software. In theory, this would allow a hacker to pass a malware as completely legitimate software. NSA cyber security director Ann Neuberger made statements to reporters that this bug is “trusting vulnerability” and added that the agency has decided to publicize NSA’s role in detecting it at Microsoft’s request. The problem was also present in both Windows Server 2016 and 2019, but does not appear to affect earlier versions of the operating system. As Reuters indicates, this is the first time the NSA has publicly announced its involvement in a software security update, although the agency has said it has previously notified companies of problems with their products. Neuberger mentioned that the service seeks more transparency with the community of security investigators.

Chris Poultsidis
Larissa TEAM