Microsoft released a security patch for Windows 10 and Server 2016 last week. The vulnerability was initially discovered and then disclosed by the National Security Agency’s (NSA) Cybersecurity and Infrastructure Security Agency (CISA) division. CISA considered this security flaw serious enough to issue an emergency order to civilian federal agencies to address the vulnerabilities in Microsoft’s Windows operating system.
What Did CISA Find?
The patch released by Microsoft addresses a bug in the encryption technology for their Windows 10 operating system and Server 2016. Basically, a cybercriminal could take advantage of this vulnerability by using a fake or “spoofed” code-signing certificate. This certificate is cryptographically “signed” by developers to authenticate that the software and data are safe. This encryption technology is what establishes the trust between users, admins, and computers that are on the internet or a local network. In simple terms, a hacker could fake a signature on a piece of malware and makes it appear as a legitimate safe signature.
According to Microsoft:
“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.
An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.
A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”
Why is the Microsoft Windows Security Vulnerability a Risk to All Businesses?
So, what does this mean for businesses that are not civilian federal agencies? It means that you run the exact same risk. And make no mistake—this is a big risk. It’s estimated this bug could affect over 900 million PCs.
When CISA finds a bug or breach, they don’t always notify the “owners” of the vulnerability immediately. It’s important the “owners know about the issue quickly so they can issue a security patch to fix the problem. The general public and businesses continue to be at risk, while the breach or vulnerability continues as CISA tries to reverse engineer or use the vulnerability for their own purposes.
But in this instance, CISA determined the risk is great enough to require immediate and emergency action. This tells us is that CISA is worried about its own “house.” And you should be too.
What Do You Need to Do?
It’s imperative that you (or your IT team) install the security patch released by Microsoft as soon as possible. Once Microsoft released this patch, the race is on between the good guys trying to protect your data and the bad guys exploiting this vulnerability to steal your data.
If you’re not sure how to proceed, contact the cybersecurity experts at Spry Squared for help.
