WASHINGTON – The National Security Agency announced that it had found a “critical vulnerability” in Microsoft Corp.’s Windows operating systems that could enable cyber intrusions.
The NSA recognized “the severity of the vulnerability” and disclosed it to Microsoft to expedite the process of fixing it, according to Anne Neuberger, the NSA’s director of cybersecurity, speaking to reporters on Tuesday. Microsoft released a patch the same day.
The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, is releasing an emergency directive on Tuesday, urging federal civilian agencies to take “a series of immediate actions to mitigate this risk and to minimize the exposure to associated threats to our federal information systems,” said Bryan Ware, an assistant secretary in the department.
The NSA chose to publicly share that it had found the flaw – a break from past protocol when information about how vulnerabilities were discovered wasn’t made public – in order to build trust and encourage patching, Neuberger said.
“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” she said.
Microsoft hasn’t seen the flaw used in active attacks, the company said in announcing the patch.
The flaw lies in a part of Windows software known as Crypt32.dll. That file is used by Windows 10 and the last two versions of the Windows Server operating systems – to implement “many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage” – according to Microsoft. This means that the flaw could affect a broad range of users.
The disclosure appears to represent an improvement in relations between Microsoft and the NSA, which previously secretly collected security exploits of Microsoft’s Windows in order to use the tools for its own hacks. Details of the practice became public in 2017 when a group known as the Shadow Brokers obtained and published the NSA’s tools, leading to an emergency for Microsoft as the company rushed to patch the “zero day” exploits. One month later, Microsoft blamed the NSA exploits for the global spread of malicious software called “WannaCrypt.”
Microsoft has a policy of regularly releasing security updates on the second Tuesday of each month, and this update aligns with that schedule, according to a Monday statement by Jeff Jones, a senior director at the company.
“We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities,” Jones said in the statement. “To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”
News of the NSA’s discovery was previously reported by The Washington Post and Krebs on Security, a cybersecurity blog.
Dina Bass and Alyza Sebenius are reporters for Bloomberg News.
Want to share this story? Click Here to purchase a link that allows anyone to read it on any device whether or not they are a subscriber.
