This month’s patch Tuesday is set to be extraordinary, not only because of the first cumulative update in 2020, but to fix a serious security vulnerability in Windows systems and, more importantly, the first warning to Microsoft that a security vulnerability has been found in Windows. It is also the first time in the NSA’s history that such a report has been sent to Microsoft.
In previous concepts, the NSA tended to exploit vulnerabilities in Windows systems for various purposes, never letting Microsoft know which vulnerabilities were effective. But in the first month of 2020, the NSA appears to have voluntarily reported the vulnerability. This is certainly a good thing, the new vulnerability code is called CVE-2020-0601, or “NSACrypt.”
Reports say the security vulnerability in the Windows component crypt32.dll is so severe that Microsoft released a patch to the government’s security services in advance. “Multiple sources confirm that Microsoft is scheduled to release a software update on Tuesday to fix critical vulnerabilities in the core encryption components in all Windows versions,” Krebson Security said. The patches have been sent in advance to U.S. military branches and other high-value customers/targets that manage critical Internet infrastructure, and these organizations are required to sign agreements to prevent them from disclosing details of the vulnerabilities. “
This problem affects the NSA’s Windows 10 operating system, which is common within the enterprise and among consumers. This vulnerability affects encryption technology used to verify digital signatures for content such as software or files. If exploited by criminals, this vulnerability allows it to send malicious content with false signatures and make it look secure.
It’s unclear how long the NSA knew about the vulnerability until it alerted Microsoft to the vulnerability, but the collaboration was different from past interactions between the agency and major software developers such as Microsoft. In the past, the NSA has kept some major vulnerabilities secret so that they can be used as part of a U.S. technology library.
Microsoft issued a statement, but declined to confirm or provide further details. “We follow the principle of coordinating disclosure of vulnerabilities as an industry best practice to protect our customers from security vulnerabilities,” the statement said. To prevent unnecessary risk to customers, security researchers and vendors do not discuss vulnerability details until updates are available. “
“Customers who have been updated or enabled with automatic updates are now protected,” Jeff Jones, Microsoft’s senior executive, said in a statement Tuesday. As always, we encourage our customers to install all security updates as soon as possible. Microsoft also said it had not seen any “wild” exploits of the vulnerability, i.e. no attacks outside the lab test environment.