Microsoft Corp. has patched a major security flaw in Windows that was discovered by the U.S. National Security Agency, arguably making its first “Patch Tuesday” of the year one of the most exciting to date.

The flaw, officially called CVE-2020-0601, affects Windows 10, Windows Server 2016, Windows Server 2019 and Windows Server version 1803.

Described as a crypto library bug, the vulnerability allows bad actors to spoof certificates. Although there are no attacks in the wild as of the time of writing, the flaw undermines how Windows verifies cryptographic trust — Public Key Infrastructure — and hence allows remote code execution.

“PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways,” the NSA Central Security Service said in a statement today. “The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.”

As Bleeping Computer noted, this is the first time the NSA has gone public with a vulnerability disclosure, marking what they describe as a “new chapter” in the history of the agency. In a teleconference, NSA Director of Cybersecurity Anne Neuberger said the agency went public both as part of building trust and also part of a new transparency policy.

Security guru Brian Krebs said the disclosure could be one of many to come as the agency pursues a policy called “Turn a New Leaf” that aims to make NSA research available to major software providers and well as the public.

The NSA in the past has been accused of hoarding vulnerabilities and even actively exploiting them. It’s believed to be behind the “Equation Group,” a state-sponsored hacking group that was hacked and its data leaked online by “The Shadow Brokers.” The NSA is also believed to have created the Eternal Blue exploit that led to countless hacking attacks starting with WannaCry and going from there once it was made public by The Shadow Brokers.

If the NSA has turned over a new leaf, it is both surprising and welcomed at the same time. “Kudos to the NSA for informing Microsoft and to Microsoft for quickly reacting,” Chris Morales, head of security analytics at cloud security firm Vectra AI Inc., told SiliconANGLE.

“I’d be interested to understand what makes this exploit worth reporting to Microsoft instead of keeping for their personal arsenal as they have in the past,” Morales added. “It could be because many of those previous tools leaked and have caused widespread damage across multiple organizations. It could be because there was a concern others would find this vulnerability themselves and it was dangerous enough to warrant remediation instead of weaponizing. Or it just could be the NSA already has enough other methods for compromising a Windows system and doesn’t need it.”

Rick Holland, chief information security officer and vice president of strategy at digital risk protection firm Digital Shadows Ltd., explained that this vulnerability is a “force multiplier for attackers,” who often go to great lengths to get their tools whitelisted in their target environment.

“The CryptoAPI Spoofing vulnerability gives attackers another option to make their code appear legitimate,” Holland said. “There is a silver lining though, Windows 7, which is now end of life, isn’t impacted by this.”

Photo: NSA/Wikimedia Commons