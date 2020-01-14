This site can earn partner commissions through the links on this page. Terms of Use.

It is “Patch Tuesday” for Microsoft, and this is an important one. This is not only the end of the road for Windows 7, but Microsoft is also releasing an important solution for Windows 10 thanks to the National Security Agency (NSA). The NSA has reportedly discovered a serious error in Windows 10 and took the unusual but welcome step to tell Microsoft about it.

Despite its name, the NSA is not aimed at improving security for the general public. The purpose of collecting information and monitoring national communication networks is not served by patching vulnerabilities when they can be armed instead. That is why the NSA traditionally keeps these security breaches secret so that they can use them against targets.

The vulnerability affects the way Windows 10 verifies digital signatures. This allows a malicious software package to act as a legitimate installation program without triggering alarms. For example, someone could use the bug to remotely install malware and give access to the entire system. From the perspective of the NSA, this is a useful tool for cyber espionage, provided that your target uses Windows 10. There is a reasonable chance that they will be, since Windows 10 is the world’s most popular desktop operating system.

People who have been informed of this compare this vulnerability with EternalBlue, an error that struck most versions of Windows until 2017. The NSA used EternalBlue to break into computers for five years, but then the tool came into the hands of other organizations. As a result, EternalBlue fed important malware campaigns such as the outbreaks of the WannaCry and NotPetya ransomware. Although the new vulnerability is not as serious as EternalBlue (it only applies to Windows 10), it could allow similar attacks if it ever came true. Perhaps that is why the NSA chose to warn Microsoft instead of trying to arm the error.

Microsoft should release the patch for all Windows 10 users today. We also expect a statement on vulnerability, in which everyone is encouraged to update as quickly as possible. Although it is better than the NSA has revealed the lack of Microsoft, it can still serve as a basis for online attacks if users do not update their systems. The NSA claims that there are currently no active exploits online that use this vulnerability, but that this can change in an instant.

