After the National Security Agency (NSA) discovered that Windows 10 had a vulnerability in the functionality of its certificate validation code, The Microsoft Corporation
Both Microsoft and the NSA strongly recommend that all Windows 10 users update their operating systems accordingly if they haven't done so already.
"[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing," said NSA's Cybersecurity Directorate head, Anne Neuberger.
Neuberger went on to identify the importance of working with Microsoft to address the concern: "When we identified a broad cryptographic vulnerability like this," she stated, "we quickly turned to work with the company to ensure that they could mitigate it."
Indeed, Microsoft appears to have been following protocol working with cybersecurity officials and relevant vendors to mitigate the flaw in their feature CryptoAPI, a "critical component" of the Microsoft Windows operating system (OS).
CryptoAPI verifies applications and programs in order to ensure the cyber safety of users.
"It's the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment," explained Ashkan Soltani, former chief technologist at the Federal Trade Commission (FTC).
Without that validation feature functioning properly, users were apparently left compromised and at the mercy of potential hackers. One possible threat could even come in as the user's information being held hostage.
This news may be particularly alarming considering that as of December 2019 over 86% of personal computers (PCs) in the world run Windows, and 63% of desktops and notebooks running Windows are using Windows 10.
That said, Neuberger shared that no exploitation using this vulnerability has been seen by either the NSA or Microsoft.
But that doesn't mean users are off the hook.
The NSA released a press statement stressing the importance of patching the vulnerability and what's at stake without getting the necessary tune up: "The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."
The patch has been intended to account for and fix this validation issue so that users' applications, emails, and "secure website connections are legitimate."
- https://www.cnbc.com/2020/01/14/microsoft-to-patch-windows-10-after-nsa-finds-vulnerability.html
- https://www.wired.com/story/nsa-windows-10-vulnerability-disclosure/
- https://www.cnn.com/2020/01/14/tech/nsa-microsoft-patch/index.html
- https://securityboulevard.com/2020/01/nsa-microsoft-releases-patch-to-fix-latest-windows-10-vulnerability/
- https://www.computerworld.com/article/3199373/windows-by-the-numbers-windows-10-resumes-march-towards-endless-dominance.html
- https://www.cyberscoop.com/windows-10-vulnerability-nsa-public-disclosure/