The US National Security Agency (NSA) detected a flow in Microsoft’s Windows 10 operating system which could allow hackers to breach or surveil targeted computer networks. After getting heads up from NSA, Microsoft has now fixed the security issue with a patch.
During a press conference, NSA revealed that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. If the vulnerability had been successfully exploited, an attacker would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information on user connections to the affected software, said Microsoft.
The flaw, CVE-2020-0601, was found in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. However, Microsoft reported that the library was not in active use, though that doesn’t prevent an attacker from weaponizing it now that it’s been disclosed.
Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”
Such reporting about the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps and using the same to exploit for its own intelligence needs.
A couple of years ago, the U.S. spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The same exploit later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.