Five Key Things To Know About NSA-Microsoft Issue | Avast

Five Key Things To Know About NSA-Microsoft Issue | Avast
Jeff Elder, 15 January 2020

Flaw could have undermined a key trust mechanism, and spy agency took unusually public step to point it out



What happened? 
The U.S. National Security Agency discovered a major security flaw in Microsoft’s Windows 10 operating system, and tipped off the company. Microsoft made a software patch to fix it, and credited the agency for finding the flaw. 
Why was that such a big deal? 
Two reasons. First, an attacker could have exploited the vulnerability by “spoofing” a code-signing certificate – counterfeiting a key trust mechanism – so it looked like a file came from a trusted source. The company said “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”
Second, the NSA chose to publicly reveal the vulnerability to the world’s largest software maker rather than exploit the flaw in order to gather intelligence about threats to the United States. The spy agency said “NSA contributed to addressing this problem by discovering and characterizing the vulnerability, and then sharing with Microsoft quickly and responsibly.”  
Luis Corrons, Avast’s security evangelist, said this combination of factors made the incident noteworthy. “The vulnerability was serious, and the NSA’s statement was unusual in its transparency. Combining those two things makes for a big story. Frankly, this is how things are supposed to work. The public has a right t ..

Support the originator by clicking the read the rest link below.