According to the NSA, the flaw involved a vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows. In theory, the flaw would’ve effectively enabled attackers to masquerade digital signature assigned to the software. Allowing hackers to input malicious code into it without raising any alarms. Worse still, the issue was not marked as critical by Microsoft, Since the emergence of the exploit, Microsoft has reportedly been hard at work. Patching it up for Windows 10, Windows Server 2016, and Windows Server 2019. Moreover, it has also labelled the flaw as “important” but not “critical”.
As pointed out by The Verge, it’s rare that a government agency such as the NSA ever gets involved with matters regarding consumer technology, but to be fair, it’s not the first time a US government body has done so. From the NSA’s point of view, though, the agency said in a statement that “the vulnerability places Windows endpoints at risk to a broad range of exploitation vectors,” and that “Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.” (Source: The Verge via NSA)
