 |
 |
|---|
Thanks to Tilted Irish Kilt for the ping!
Posted on 01/14/2020 1:53:03 PM PST by Red Badger
The National Security Agency has discovered a major security flaw in Microsoft's Windows 10 operating system that could allow hackers to intercept seemingly secure communications.
But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
Microsoft released a free software patch to fix the flaw Tuesday and credited the agency for discovering it. The company said it has not seen any evidence that hackers have used the technique discovered by the NSA.
Amit Yoran, CEO of security firm Tenable, said it is "exceptionally rare if not unprecedented" for the U.S. government to share its discovery of such a critical vulnerability with a company.
Yoran, who was a founding director of the Department of Homeland Security's computer emergency readiness team, urged all organizations to prioritize patching their systems quickly.
An advisory sent by the NSA on Tuesday said "the consequences of not patching the vulnerability are severe and widespread."
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," the company said.
If successfully exploited, an attacker would have been able to conduct "man-in-the-middle attacks" and decrypt confidential information on user connections, the company said.
Some computers will get the fix automatically if they have the automatic update option turned on. Others can get it manually by going to Windows Update in the computer's settings.
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA's involvement. Microsoft and the NSA both declined to say when the agency notified the company.
The agency shared the vulnerability with Microsoft "quickly and responsibly," Neal Ziring, technical director of the NSA's cybersecurity directorate, said in a blog post Tuesday.
Priscilla Moriuchi, who retired from the NSA in 2017 after running its East Asia and Pacific operations, said this is a good example of the "constructive role" that the NSA can play in improving global information security. Moriuchi, now an analyst at the U.S. cybersecurity firm Recorded Future, said it's likely a reflection of changes made in 2017 to how the U.S. determines whether to disclose a major vulnerability or exploit it for intelligence purposes.
The revamping of what's known as the "Vulnerability Equities Process" put more emphasis on disclosing unpatched vulnerabilities whenever possible to protect core internet systems and the U.S. economy and general public.
Those changes happened after a group calling itself "Shadow Brokers" released a trove of high-level hacking tools stolen from the NSA.
Pinging the geeks......................
Obambi’s NSA would have kept quiet about this...
The NSA guys found out their breathing and chatter while digitally recording and eavesdropping on all of our private conversations on phones and with Smart TV’s was being heard. They were embarrassed.
Obambi’s NSA probably wouldn’t have found it!
Obambi’s NSA probably put it in there.......................
More likely the No Such Agency has their own different back door into Windows, but this particular exploit was being utilized by the Iranians.
The NSA has the keys........................
NoSuchAgency says ‘trust this patch’
Them I don’t worry about, having known some and been there.
It’s the others you have to worry about...............
Ping
Right after Microsoft stops supporting Windows 7 and forces everyone to 10......how convenient.
Share with your audience what your log on name means/meant!
I’ll just let everybody guess and then see my homepage...............
Or... A back door was accidentally closed.
You know, the smarter thing to do wouldn’t have been to say it was from the NSA; you know, for those who might be a little bit suspicious as to the concept of the NSA wanting everyone to install a patch on their computer immediately?
At this moment, 011420@1828CST, implementing these provided updates.
Thanks, for once, MS!
So will they fix it automatically or will I have to do it?
|
|
|---|
Thanks to Tilted Irish Kilt for the ping!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.