The National Security Agency recently uncovered a severe vulnerability in Microsoft’s Windows operating system, and says it decided to publicly raise awareness and help the company issue patches instead of using the flaw for the agency’s intelligence operations. The vulnerability occurs because Microsoft Windows CryptoAPI fails to properly validate certificates that use elliptic curve cryptography, which may allow an attacker to spoof the validity of certificate chains.
Anne Neuberger, the director of the NSA’s Cybersecurity Directorate, said that upon discovering the critical vulnerability in the course of their research, they “immediately shared [it] with the company for action.” DHS’s Cybersecurity and Infrastructure Security Agency is warning the private sector and state/local/tribal governments that if they cannot immediately patch, they should isolate systems by removing potentially internet-connected devices from the internet. Federal civilian agencies were given 10 days to apply the patch.