找回密码
 立即注册
首页 全球财经资讯 查看内容
  • QQ空间

美国国家安全局提醒微软注意Windows 10的重大安全漏洞

2020-1-17 14:39

美国国家安全局(National Security Agency)官员周二表示,该局最近提醒微软(Microsoft)注意其Windows操作系统的一个重大缺陷,该缺陷可能会让黑客冒充合法软件公司。

微软(Microsoft)周二发布了一个软件更新,以修复该漏洞,这是其发布软件补丁的正常计划的一部分。

有关该漏洞和补丁的新闻最先由独立记者布赖恩•克雷布斯(Brian Krebs)报道。克雷布斯表示,微软在周二发布补丁之前,已经向军方和关键基础设施公司提供了软件补丁。


微软在周一晚间的一份声明中说,它通过一个特殊的测试程序向一些用户提供了更新的预先版本。微软高级主管杰夫·琼斯(Jeff Jones)拒绝讨论该漏洞的细节,“以避免给客户带来不必要的风险”。

该公司周二没有立即回应置评请求。

美国国家安全局(NSA)罕见地宣布了这一漏洞,并决定警告微软(Microsoft),而不是出于情报目的利用这一漏洞,突显出它可能对全球企业、消费者和政府机构构成的巨大威胁。

美国国家安全局表示,虽然它过去曾与私营部门共享漏洞信息,但这是它首次公开这么做。该机构表示,这一决定反映了与网络安全研究人员建立信任的努力。

美国国家安全局网络安全主管安妮·纽伯格(Anne Neuberger)周二在电话会议上告诉记者:“建立信任的一部分是展示数据。”她说,由于NSA从未允许自己与漏洞披露挂钩,“实体很难相信我们会认真对待此事。”确保漏洞能够得到缓解绝对是当务之急。”

Neuberger补充说,美国国家安全局并没有利用这个漏洞来攻击对手,这个漏洞一被发现就被移交给了微软。她说,美国国家安全局没有发现任何其他实体使用该漏洞。

美国国土安全部(Department of Homeland Security)在电话会议上说,它将向联邦机构发布公告,建议它们立即安装微软的补丁。

这个漏洞涉及Windows的一个核心功能,即验证应用程序和程序合法性的CryptoAPI。


安全专家、前美国联邦贸易委员会(Federal Trade Commission)首席技术专家阿什坎?

索尔塔尼说,通过破坏这种验证功能,黑客可以很容易地假冒“好”软件公司来安装坏软件,这可能使他们得以监视电脑用户,或将他们的设备作为人质索要赎金。

The National Security Agency recently alerted Microsoft to a major flaw in its Windows operating system that could let hackers pose as legitimate software companies, agency officials said on Tuesday.

Microsoft (MSFT) issued a software update on Tuesday to fix the vulnerability, as part of its normal schedule for releasing software patches.

News of the vulnerability and patch were first reported by independent journalist Brian Krebs, who said Microsoft provided its software fix to the military and key infrastructure companies ahead of Tuesday's public release.

Microsoft said in a statement Monday night that it provides advance versions of its updates to some users under a special testing program. Jeff Jones, a senior director at Microsoft, declined to discuss specifics of the flaw "to prevent unnecessary risk to customers."

The company did not immediately respond to a request for comment on Tuesday. 

The NSA's rare announcement of the flaw, along with its decision to warn Microsoft rather than exploit the bug for intelligence purposes, underscores the magnitude of the threat it could pose to businesses, consumers and government agencies worldwide.

The NSA said that, while it has shared vulnerability information with the private sector in the past, this marks the first time that it has come forward publicly to do so. The agency said the decision reflects an effort to build trust with cybersecurity researchers.

"Part of building trust is showing the data," Anne Neuberger, the NSA's director of cybersecurity, told reporters on a conference call Tuesday. Because the NSA has never allowed itself to be linked to a vulnerability disclosure, she said, "it's hard for entities to trust that we take this seriously. And ensuring vulnerabilities can be mitigated is an absolute priority."

The NSA did not use the vulnerability to exploit adversaries, and the bug was turned over to Microsoft as soon as it was discovered, Neuberger added. She said the NSA has not detected any other entities using the bug.

The Department of Homeland Security said on the call that it would issue a bulletin to federal agencies advising them to install the Microsoft patches immediately.
The flaw concerns a core Windows function that verifies the legitimacy of apps and programs, a feature known as CryptoAPI.

"It's the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment," said Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission.

By compromising that validation feature, hackers could easily impersonate "good" software companies to install bad software, Soltani said, potentially allowing them to spy on computer users or hold their devices hostage for ransom.
原作者: Brian Fung 来自: CNN