Microsoft rolled out a set of patches, or fix, for its Windows platform, on January 14, after the United States National Security Agency (NSA) pointed out the serious flaw. NSA has urged everyone to take immediate action and patch their systems saying all the issues addressed in the patch release are serious.
Neal Ziring, Technical Director of NSA Cybersecurity Directorate, discussed the one key issue that made the widely used operating system highly vulnerable. Ziring said that the flaw could be misused by hackers to spoof trusted identifies, such as individuals, websites, software companies, service providers, or others.
There was a possibility of attackers forging the Public Key Infrastructure (PKI) certificate and gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them. “This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms and make us question if we can really rely on them,” said the technical director in a statement.
Ziring explained that the issue reflected weakness in the implementation of one subtle aspect of PKI certificate validation. He added that one implementation needed repair since it posed significant risk for enterprises and systems that depend on PKI for trust.
“The patch is the only comprehensive means to mitigate the risk. While means exist to detect or prevent some forms of exploitation, none of them are complete or fully reliable,” said Ziring, urging the users to apply the patch fully across their Windows 10 and Server 2016 installed base.
According to the NSA and Microsoft, there has not been any evidence regarding the abuse of the flaw but added that the security updates should be deployed as soon as possible. It is the first time that the NSA has publicly claimed credit for identification of vulnerability and warning Microsoft but the agency said that it has alerted companies in the past as well about flaws in their product.