There is a dangerous security gap in current Windows versions. Anyone who uses Windows 10 or Windows Server 2016/2019 should take action: The Federal Office for Information Security (BSI) advises “to install the software update provided by Microsoft urgently”.
Most Windows users receive the update automatically via the integrated update function of the operating system. To ensure that it is installed as quickly as possible, users can call up the “Update and security” menu item in the Windows settings and click on “Check for updates”. Then all pending updates are imported.
In the current case, Microsoft closes a vulnerability in the so-called CryptoAPI. This is a Windows component that controls cryptographic functions, i.e. encryption. Developers can access security certificates via the interface to encrypt sensitive information. The bug allows attackers to fool Windows into a valid security certificate. This would allow criminals to install malware and penetrate deep into the system.
The BSI classifies the vulnerability as “critical”, even if there is no evidence to date that it is being actively exploited. The fact that the error should be taken seriously is shown by the way it was reported to Microsoft: It was the US intelligence agency NSA of all that who pointed out the vulnerability (PDF). Typically, the NSA uses such gaps itself to penetrate systems and monitor suspects.
“You should use your system immediately now patch “
IT security expert Brian Krebs already announced on Monday that the upcoming Windows update would close a particularly critical vulnerability. Therefore, the US military and operators of important Internet infrastructure had already received the update in advance.
Many well-known IT security researchers are alarmed, such as Tavis Ormandy from Google. “This is pretty bad,” he writes on Twitter about the vulnerability. Almost word for word, the renowned expert Bruce Schneier says on a website: “This is really bad, and you should use your system immediately now patch before reading this blog entry. “
Anne Neuberger, who heads the cybersecurity department at the NSA, said Schneier said in a phone call to journalists that the agency had previously reported security vulnerabilities in Windows to Microsoft. But this is the first time that the NSA has publicly acknowledged this. The agency wants to regain the trust of the IT security scene. In the future, the NSA would share its findings publicly faster and more often.
In the past, the NSA preferred to exploit vulnerabilities itself
It goes without saying that the NSA is alerting Microsoft. After the NSA hacking unit called “Tailored Access Operations” discovered a programming error in Windows, it preferred to exploit it for years without reporting it. Finally, the “EternalBlue” exploit in 2016 fell into the hands of the hacking group The Shadow Brokers, which published the code.
Shortly thereafter, hackers used the vulnerability to spread the WannaCry and Petya Trojans. The malware infected hundreds of thousands of computers and paralyzed many companies. “We need governments that are aware of the damage done to civilians from the accumulation and exploitation of such software security problems,” said Microsoft chief lawyer Brad Smith at the time.