Published: Thu, January 16, 2020
Electronics | By Kelly Massey

Microsoft fixes Windows crypto bug reported by the NSA

Microsoft fixes Windows crypto bug reported by the NSA

Extended Security Updates (ESU) means crucial updates will continue even though both Windows 7 versions will not receive regular bug fixes and updates or assistance from Microsoft Support.

The security flaw leaves Windows vulnerable to a broad range of exploitation vectors, and the NSA expects remote exploitation tools to quickly become widely available.

"[This bug] reflects a weakness in the implementation of one subtle aspect of Public Key Infrastructure (PKI) certificate validation".

The flaw was found in a function of Windows 10 that verifies cryptographic trust.

Microsoft said the flaw could allow a hacker to forge digital certificates used by some versions of Windows to authenticate and secure data.

After almost a year-long journey of testing, Microsoft's new Chromium Edge browser is exiting beta and an official final version is now available for download.

Microsoft urges customers to purchase a full version of Windows 10 Home - prices start from $A225.00 - or to purchase a new PC which include the the operating system as standard. Although Microsoft says it hasn't seen evidence the issue has been exploited in the wild, it's a significant vulnerability that could allow an attacker to "decrypt confidential information" on unmatched systems. This is a central component of Windows 10 security.

Those changes happened after a mysterious group calling itself the "Shadow Brokers" released a trove of high-level hacking tools stolen from the NSA, forcing companies including Microsoft to fix their systems.

Trump urges Boeing to move fast on resolving 737 Max issues
A bright spot for the Chicago-based plane maker was a record number of deliveries of 787 Dreamliners in the last three months of 2019.


He cited a tweet from Will Dormann, a security researcher who authors numerous vulnerability reports for the CERT Coordination Center (CERT-CC), after he had tweeted that "people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner".

If you are running a pilot with any of the pre-release channels (canary, dev, beta), the release version of Edge will run alongside those iterations; those builds will not be updated to the stable channel version. But system admins are advised to apply the CVE-2020-0601 patch immediately.

She added that the agency had decided to make its involvement in the discovery public at Microsoft's request.

Security experts were quick to warn about the dangers associated with this flaw.

Microsoft has opened new doors by switching to a Chromium-based browser as it will be able to put Edge on more platforms than Windows 10.

Mechele Gruhn, principal security program manager for the Microsoft Security Response Center, says that the company has classified the vulnerability as "important" because it hasn't been exploited, but the NSA classifies it as "severe".

Firefox users can also download the free update here.

The vendor, which ended support for Windows 7, Windows Server 2008 and Windows Server 2008 R2 on January 14, is heavily plugging its cloud service, claiming it will bring "immediate and tangible" benefits in a blog post. It was only after the MSA came to now of others also being aware of Eternal Blue that they chose to let Microsoft know of it.

Like this: