Just a week after Homeland Security warned all Firefox users to update to the latest version due to hacking fears, now another government agency has warned about another major vulnerability in software used by millions of Americans: Microsoft’s flagship Windows 10 operating system.
Earlier this week the National Security Agency alerted Microsoft to a major vulnerability in Windows 10 and Windows Server 2016. That vulnerability relates to the way Windows 10 works with digitally signed apps. When an app developer “signs” an app, it’s a way for the operating system the app runs on to verify that that app is legitimate and not a fake app meant to look like the real thing.
However, because of a vulnerability in Windows 10 and Windows Server 2016, the operating system could be tricked using fake signatures and thus allow malicious apps to run on the OS. In other words, a malicious app could look like the real thing to Windows 10 and Windows Server 2016 and once it’s on the OS, it could pretty much carry out whatever nefarious activity the hacker wanted it to.
As the NSA explains:
The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.
The good news is, unlike the Firefox vulnerability Homeland Security warned about last week, the Windows 10 and Windows Server 2016 signature vulnerability appears not to have been used in the wild yet. Microsoft has already issued a security update to the OSes.
The NSA advises everyone to update their Windows 10 and Windows Server 2016 right away:
NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services.
If you haven’t updated your Windows 10 or Windows Server 2016 yet, drop what you’re doing right now and do it. To update Windows, click the Start button, then go to Settings > Update & Security > Windows Update.