Microsoft Issues Patch for Severe Flaw in Windows 10
The flaw makes Windows 10 and Windows Server 2016/2019 “fundamentally vulnerable,” according to a National Security Agency advisory.
ARLINGTON, Va. — The Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway) and Windows Remote Desktop Client.
CISA officials say a remote attacker could exploit these vulnerabilities to decrypt, modify or inject data on user connections.
Although Emergency Directive 20-02 applies only to certain executive branch departments and agencies, CISA strongly recommends state and local governments, the private sector and others also patch these critical vulnerabilities as soon as possible.
According to the NSA, the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality.
Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:
- HTTPS connections
- Signed files and emails
- Signed executable code launched as user-mode processes
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.
The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
Both the NSA and CISA recommend that organizations immediately install patches as soon as possible. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!