Recently discovered vulnerabilities affect the encryption of digital signatures used to verify content, including software or files. If exploited, the vulnerability could allow criminals to send malicious content with false signatures, making it appear secure.

Editor’s note: This article comes from Tencent Technology .

US intelligence agencies report major Windows 10 vulnerabilities, Microsoft issues patch fixes

Satya Nadella, CEO of Microsoft Corporation

January 15, according to foreign media reports, two US federal senior cyber security officials confirmed that the US National Security Agency (NSA) recently notified Microsoft of a major security vulnerability in Windows 10 and the operation of the latest version of Microsoft The system is currently widely used within enterprises and among consumers.

It is reported that the newly discovered vulnerability affects the encryption of digital signatures used to verify content (including software or files). If exploited, the vulnerability could allow criminals to send malicious content with false signatures, making it appear secure.

Satnam Narang, senior research engineer at Tenable, a cybersecurity company, said: “In general, patches like this should always be important, but in fact, it was the NSA that disclosed the vulnerability to Microsoft , Which makes it even more important. “

Nalang also said that attackers often steal security certificates in order to send malicious files that seem to be trusted to the victims, but with this vulnerability, attackers can simply forge Microsoft certificates and make this process more difficult. Much easier.

It is unclear how long the NSA has discovered the vulnerability before notifying Microsoft. However, this cooperation between NSA and Microsoft is different from past interactions. In the past, the agency often kept such important vulnerabilities confidential so that they could be used as part of a U.S. technology library.

Anne Neuberger, NSA’s director of cybersecurity, said: “This is a change in approach as part of building trust. The job of the NSA is to look forward and then to really share the data, which is part of building trust. “

Web security professionals welcome this. Computer security expert Dmitri Alpe(rovitch) tweeted: “The NSA’s voluntary disclosure of security information to Microsoft is highly commendable. I believe this vulnerability is the type that the organization’s hackers were most happy to exploit before.”

Microsoft released a patch on Tuesday to fix the vulnerability, and the company declined to confirm or provide more details in a statement. “We follow the principle of coordinated vulnerability disclosure as an industry best practice to protect our customers from security breaches. To prevent unnecessary risks to customers, security researchers and vendors are updating Details of the vulnerability in the report will not be discussed until it is available. “

Microsoft senior executive Jeff Jones issued a statement saying: “Security updates were released on January 14, 2020, and customers who have applied updates or enabled automatic updates are protected. We continue to encourage customers to as soon as possible Install all security updates. “However, Microsoft said the company did not see any signs of exploiting the vulnerability.

Nalang, an engineer at network security company Tenable, said: “I want to emphasize that this information was just released in the past hour and is still quite new. For the most part, this is only in the attacker’s toolbox. Another tool. “(Tencent Technology Review / Jinlu)