Response to Windows 10 bug 'overblown' - channel reacts
Microsoft issues patch to cover flaw that could affect hundreds of millions of Windows 10 devices
Microsoft has issued a patch for Windows 10 after it was revealed by a US security agency to be a "serious vulnerability" that could affect millions of devices.
The US National Security Agency (NSA) revealed the flaw, claiming it would allow hackers to fool antivirus software and pass off malware as legitimate applications. The vulnerability was found in the cryptographic library that affects Windows 10 systems.
Microsoft itself classed the flaw as "Important" and has released a patch for Windows 10, Windows Server 2016 and Windows Server 2019, noting that has not witnessed it used in active attacks.
"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said.
In a statement to CRN, Jeff Jones, senior director at Microsoft, added: "A security update was released on 14 January 2020 and customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible."
The revelation that Windows 10 has a massive flaw that could be exploited by hackers has been "overblown", according to Adam Louca, Softcat's chief technologist for security.
"The vulnerability could enable people to bypass that single layer of defence, but I would flip that on its head and say, ‘If this defence is so brilliant, then why are we getting so much malware anyway?'" Louca explained to CRN.
"It's not like the world's going to explode because this thing's not working. It's important, but I think it's overblown and we probably shouldn't worry about it quite so much."
Brian Krebs, who first reported details of the bug, revealed that Microsoft had sent out the paths to branches of the US military and high-level users before making it available generally.
The NSA called on those affected to take action and patch immediately.
"This vulnerability may not seem flashy, but it is a critical issue," it stated.
"Trust mechanisms are the foundations on which the internet operates - and [this flaw] permits a sophisticated threat actor to subvert those very foundations.
"This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them. Fortunately, we can.
"[This bug] reflects a weakness in the implementation of one subtle aspect of Public Key Infrastructure (PKI) certificate validation. The technology and standards are sound; it is one implementation that needs repair."
Softcat's Louca didn't see any correlation between the news emerging on the same day that Microsoft shut down support for Windows 7 - which is not affected by the bug - other than that both were related to the vendor's Patch Tuesday updates.
He added that revealing the news is more interesting than the bug itself and speculated as to why the security organisation chose to reveal this information.
"It's unusual this has been done so publicly; bug bounties and vulnerability sharing happens between nation-state state organisations and vendors all the time," he explained.
"If I were a betting man and my organisation was building offensive cybersecurity tools and I was the only one who knew about this bug, the only reason I would ever give this bug up is if I knew there was somebody else who was using this, and it was more important to lose that tool in my arsenal and defend other people by flagging it and resolving the issue.
"That would be the logical reason as to why I think the NSA would disclose this, but they do have a mandate as part of their job to protect US interests."
Bugs are an expected occurrence in cybersecurity and the involvement of the NSA is what makes it different to most, but should not cause undue worries among those in the sector, Louca added.
"Expect stuff to be broken every month and ensure you have the right processes in place to be able to respond," he advised.
"If there is a lesson to be learned here, expect there to be problems and don't be surprised when they happen."