National Interest Wins Out as the NSA Alerts Microsoft to Critical Spoofing Vulnerability in Windows

In a first for both the National Security Agency (NSA) and Microsoft, the NSA will publicly take credit for discovering a vulnerability and Microsoft will credit the NSA for reporting a security flaw.

The flaw in question - CVE-2020-0601 - is a critical spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

"The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution," said the NSA in a Cybersecurity Advisory. "Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities."

The NSA added that "sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render (software) as fundamentally vulnerable."

Affected software are Windows 10 and Windows Server 2016/2019, as well as applications that rely on Windows for trust functionality. Microsoft said it hasn't seen the vulnerability used in any attacks and both the NSA and Microsoft urge users to patch their software ASAP.

"The consequences of not patching the vulnerability are severe and widespread," said the NSA.

The fact the NSA tipped off Microsoft points to the severity of the vulnerability, with upwards of a billion computers being at risk. This isn't the first time the NSA has alerted a tech company about a flaw but, as outlined by the Vulnerabilities Equities Process (VEP), it was within its rights to keep knowledge of the vulnerability to itself and use the information for its own benefit.

The VEP allows the US government to determine whether it should make information about vulnerabilities public, or keep the info to itself for use against those preceived to be 'adversaries'. The VEP weighs up the "benefit to national security and the national interest" when deciding whether to disclose or restrict knowledge of a vulnerability.

National interest won out this time.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.