SkipToMainContent

Emerging Threats

Severe Windows 10 vulnerability found by NSA – Update Windows 10 Immediately

Fast facts:
  • Microsoft’s Windows 10 operating system has a critical vulnerability that affects security encryption—and could affect hundreds of millions of Windows 10 users if left unpatched.
  • The NSA discovered the bug and alerted Microsoft, along with publicly disclosing the immediate need for those with Windows 10 and Windows Servers 2016/2019 to update their systems with the available security patch.
  • The NSA and Microsoft advisories to patch Windows 10 systems are urgent. NSA has never before made such a public disclosure.
  • This so-called spoofing flaw disables Windows 10 from being able to tell the difference between legitimate and fake sources. This means you might be logging on to fake websites or downloading malicious apps.
  • If you don’t update Windows 10 immediately, fraudsters could do damaging things like remotely install malware onto your PC or intercept your sensitive data.

New cybersecurity issues present themselves every year, but a big one hit 2020 right out of the gate: a critical vulnerability in Microsoft’s Windows 10 operating system. To protect the hundreds of millions of Windows 10 users who could be impacted, the National Security Agency made the unprecedented move of publicly urging everyone to update their Windows 10 systems immediately.

You may be asking yourself if this is really urgent, or just another Windows update. It’s important to note that this is the first time NSA has ever publicly disclosed that they’ve alerted Microsoft about a security flaw—and urged consumers to take immediate action.

To be certain, the urgency in their recommendation merits repeating: Install the latest update to your Windows 10 operating system immediately to help protect computers and devices against hackers that could seek to exploit this crack in Windows’ security.

In this article, we cover what you need to know to help protect yourself:

What is the Windows 10 security flaw that was discovered?

On January 14, 2020, the U.S. National Security Agency (NSA) released a cybersecurity advisory urging all users of Microsoft’s Windows 10 operating system to patch a potentially serious vulnerability known as CVE-2020-0601. This is a bug in Windows’ computer code with regard to cryptographic functionality, or CryptoAPI—the way Windows confirms the legitimacy of software or establishes secure web connections. The problem? The vulnerability renders the verification check untrustworthy.

In its cybersecurity advisory, NSA said this crack in the validation of trust could impact:

  • HTTPS connections
  • Signed files and emails
  • Signed executable code related to software processes

In a security advisory that same day, Microsoft called this software flaw a “spoofing” vulnerability. What does this mean? Spoofing is about deception. Fraudsters pretend they’re someone or something that is a trusted, legitimate source — when, in fact, they are not. Even worse, they’re often malicious. With this new crypto bug, Windows 10 can’t tell the difference between the imitation and the real thing, believing the fraudsters are legitimate and letting them in.

If this hole is left unchecked, an attacker could use fake certificates — a type of digital signature used to validate legitimate apps and software — to look like a trusted entity.

These spoofed certificates would enable fraudsters to do things like remotely install malware onto your computer or intercept sensitive data like your Social Security number. The malware will look like it’s from a trusted provider, making detection more difficult — for systems that haven’t been updated with the latest patch.

The crypto bug is a remote code execution vulnerability, giving those who exploit it the ability to gain access to your computer from wherever they are.

Who is impacted?

The bug specifically affects Windows 10 and Windows Server 2016/2019 systems, along with any applications that rely on Windows to determine if a function is trustworthy. This could translate into hundreds of millions of victims.

The urgency of NSA’s warning is clear: If you’re in the pool of people impacted and haven’t updated your Windows 10 system, take action now. Cyber attackers could soon exploit this security flaw and use it to their full advantage.

Consider this: When you try to connect to a website, your browser usually checks out the validity of that website with Microsoft software. But now, that software isn’t doing its job. If you don’t update it with this security patch, there’s no checkpoint. 

You could find yourself logging on to fake, malicious websites and downloading malicious apps and files embedded with malware which could allow hackers to do things like steal your sensitive data, files and passwords; install ransomware; conduct man-in-the-middle attacks, and possibly render you the next victim of identity theft.

How was the vulnerability discovered?

NSA Cybersecurity Directorate Anne Neuberger said, in a January 14 press conference, that NSA discovered this critical security flaw as part of its security research and disclosed it to Microsoft. This disclosure of the flaw is noteworthy in that it’s highly unusual — the government doesn’t often disclose vulnerabilities like this to vendors. Moreover, Neuberger said this is the first time NSA has taken credit publicly for disclosing a vulnerability to Microsoft.

Another part of the equation could be that only two years ago, NSA was criticized for discovering and secretly using a Windows operating system vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency was chastised for using the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. The exploit was later leaked and used to infect thousands of computers with the notorious WannaCry ransomware, causing millions of dollars’ worth of damage on a global scale.

It looks like this time around NSA isn’t taking any chances—and is letting us know: Take action now, because the damage that could result from this vulnerability is serious.

6 steps you should take to help protect yourself immediately

NSA and Microsoft urge consumers with Windows 10 and Windows Server 2016/2019 systems to patch this vulnerability immediately to avoid severe consequences. As NSA says in its advisory, “Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.”

Microsoft has already released the patch, known as the January 2020 Patch Tuesday patch, which users should use to update their Windows 10 systems immediately. Here are six important steps you should take to help ensure your devices and data are protected:

  1. If you have Windows 10, you likely have automatic updates enabled by default. If so, your system will attempt to install the updates when they’re downloaded. Allow the update process to be completed and restart your systems if needed.
  2. You also could run your Windows Update manually to get the patch quicker. To do so, you can click the “Check for Windows Updates” button.
  3. Alternatively, you can run the Windows update manually by clicking on the Start button and then selecting: Settings > Update & Security > Windows Update > Check for Updates.
  4. If you have multiple PCs running Windows 10, make sure they are all up-to-date with the latest security patches.
  5. CAUTION: Never attempt to download a patch for this vulnerability—or any others—from anywhere other than the Windows update tool. Windows system updates should only be downloaded directly from Microsoft.
  6. Focus on endpoint security: NSA recommends that where enterprise-wide, automated patching isn’t possible, give priority to patching endpoints that provide essential, widely-used services such as domain controllers, DNS servers and VPN servers; and endpoints that have a higher risk of exploitation like those directly exposed to the internet.

For anyone who thinks they won’t be affected by this Windows 10 bug because they still use Windows 8, Windows 7 or Windows XP, not so fast. Microsoft hasn’t shared if this crypto bug exists in all versions of Windows. Another cause for concern is that the patches and free support that once were given to older operating systems like Windows XP and Windows 7 are no longer available, leaving users without any security fixes or updates going forward.

The bottom line: Always stay up-to-date with your latest security patches, and for those of you with Windows 10, patch your system immediately by following the steps outlined above.

There were 3 victims of cybercrime every second in the last year.*

Our Smart Firewall helps protect your device and your data from malicious attacks and intrusive eyes by monitoring and blocking suspicious network traffic.

Try Norton Antivirus Plus. Powerful protection for your device and the information it stores.

*Based on an online survey of 1,004 adults in the US conducted by The Harris Poll on behalf of Norton™ LifeLock™, October 2018.


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.