Updated January 15, 2020, 5:51 p.m.
Secret services like the American National Security Agency NSA do not always report discovered IT security gaps to the manufacturers, but sometimes secretly exploit them. However, Microsoft was alerted to a serious encryption vulnerability in Windows. A patch has already been made available.
Microsoft has closed an explosive security hole in its Windows operating system, thanks to which malicious malware could pretend to be legitimate programs. The notice came from the US eavesdropping service NSA, which discovered the vulnerability and reported it to the software company. The gap can only be closed by installing the update for Windows 10, 8.1 and Windows Server (2012, 2016 and 2019) published on Tuesday.
However, there will be no free security update for the outdated Windows 7 operating system, which still runs on millions of PCs. In the note on the monthly security update, Microsoft only referred to the fact that support for Windows 7 and older server systems expired on Tuesday (January 14). Companies and organizations can still be supplied with the necessary patch via a maintenance contract that is subject to a fee. In contrast, new security gaps can no longer be closed for private customers.
Windows accepted fake trust certificates
US intelligence agencies have a balancing process that decides whether a vulnerability they discover is tacitly exploited or reported to close. A few years ago, a vulnerability once used by the NSA became public and made the wave of attacks with the WannaCry Trojan possible. The malware encrypted computers and demanded ransom. Among other things, British hospitals and advertisements at train stations in Germany were affected.
In the current case, the NSA found that Windows may accept fake software trustworthiness certificates. In many cases, such certificates are the prerequisite for programs to run on computers. This system is fundamentally still secure, only its implementation needs to be corrected in this specific case, the NSA emphasized.
Technically speaking, the error when checking signatures has to do with a vulnerability in a software component for encryption technology (Windows CryptoAPI). This applies both to code signatures and to so-called TLS certificates. In the event of an attack, the user had no way of recognizing a file as malicious because the digital signature apparently comes from a trustworthy provider, Microsoft explained. (KAD / dpa)
Microsoft has developed a new smartphone. The device is an unusual opening model. Google’s Android in a “modified version” is to be used as the operating system.