NSA discloses Windows cryptographic vulnerability
Microsoft released a new patch for the cryptographic vulnerability (CVE-2020-0601) in Windows 10, Windows Server 2016 and 2019. It is reported that the US National Security Agency discovered the vulnerability and disclosed it to Microsoft. The discovered flaw allowed to undermine Windows verification of cryptography certificates and run malicious code remotely. It may have impacted HTTPS connections, signed files and emails, signed executable code launched as user-mode processes. NSA assessed the vulnerability to be severe and widespread if not patched immediately. Additionally, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring Federal agencies to patch their Windows systems as soon as possible.
Notably, this disclosure signifies a change in approach of NSA’s disclosure policy. The agency didn’t exploit the vulnerability for their benefits before disclosing to Microsoft, in contrast to what happened with EternalBlue exploit in 2017.