The National Security Agency alerted Microsoft that it had found a vulnerability in Windows operating systems that could enable cyber intrusions, according to two people familiar with the matter.
The news comes hours before Microsoft is scheduled to release a security update, which is part of a company practice of disclosing newly found software vulnerabilities in hardware.
There isn’t an active cyberattack, according to Microsoft.
Anne Neuberger, the NSA’s director of cybersecurity, has scheduled a press briefing on Tuesday, amid an agency push to be more transparent and friction between tech companies and the government in recent years over vulnerability disclosure.
The flaw lies in a part of Windows software known as Crypt32.dll, according to one of the people who requested anonymity because the information isn’t yet public. That file is used by the Windows and Windows Server operating systems — to implement “many of the Certificate and Cryptographic Messaging functions in the CryptoAPI, such as CryptSignMessage” — according to Microsoft. This means that the flaw could affect a broad range of users.
CVD
Microsoft has a policy of regularly releasing security updates on the second Tuesday of each month, and this update aligns with that schedule, according to a Monday statement by Jeff Jones, a senior director at the company.
“We follow the principles of coordinated vulnerability disclosure (CVD) as the industry best practice to protect our customers from reported security vulnerabilities,” Jones said in the statement. “To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available.”
News of the NSA’s discovery was previously reported by the Washington Post and Krebs on Security, a cybersecurity blog. — Reported by Dina Bass and Alyza Sebenius, (c) 2020 Bloomberg LP