Critical Windows 10 security fix pushed out after NSA warns Microsoft of spying vulnerability

Graham Cluley @gcluley

Critical Windows 10 security fix pushed out after NSA warned Microsoft of critical vulnerability

Hundreds of millions of Windows 10 users are having an important patch rolled out to their computers today after Microsoft was warned by the NSA of a serious security hole in the operating system.

The fix comes as part of “Patch Tuesday”, Microsoft’s regular bundle of patches issued on the second Tuesday of every month, and addresses a dangerous vulnerability – dubbed unglamorously CVE-2020-0601 – in a component of Windows called CryptoAPI:

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The good news is that Microsoft says it has not seen any evidence that CVE-2020-0601 has been actively exploited by attackers.

However, it’s clear from public statements from the NSA that the update should be applied to vulnerable systems as a matter of priority.

What has perhaps given this security hole more attention than normal is that the NSA has publicly confirmed that it gave Microsoft details of the vulnerability, so that it could be patched.

Memorably, the NSA also told Microsoft about an exploit in Windows SMB, codenamed “Eternal Blue”. Despite Microsoft rolling out a patch for that vulnerability, it was weaponised by the Wannacry ransomware and hit computers around the world, most notably at the UK’s National Health Service.

The twist in the tale with the Eternal Blue exploit is that it had actually been developed by the NSA itself, and used by them – one presumes – to spy on people and countries of interest. It was only when the code was stolen from the NSA by a group of hackers known as the Shadow Brokers, that the NSA realised the cat was out of the bag – and that it was in national security interests to share details with Microsoft and get a patch pushed out.

There’s no evidence that the NSA developed CVE-2020-0601 to spy on Windows 10 computers. All we know is that they uncovered the flaw, and decided to tell Microsoft.

So they’re either telling Microsoft out of the goodness of their hearts, with a desire to have a patch pushed out that protects hundreds of millions of users. Or they’re worried that someone else has developed the same exploit. Of course, it’s possible that both are true.

Coincidentally, today’s Patch Tuesday security updates from Microsoft are the last which cover the ageing Windows 7 operating system.

The NCSC, a division of GCHQ, Britain’s equivalent to the NSA, warned this week that users of Windows 7 should no longer use computers running the no-longer-supported operating system for online banking or other sensitive activities such as reading email.

If there’s any comfort to be had at all, it’s that Windows 7 is not vulnerable to the CVE-2020-0601 security flaw discovered by the NSA in Windows 10.

My advice? If Microsoft and the NSA are telling you to patch your Windows 10 computer, you should patch your Windows 10 computer. Pronto.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.