The NSA found and reported a notably serious vulnerability in a core cryptographic component that is present in all versions of Windows. The Windows component is known as crypt32.dll. The danger with Crypt32.dll, also known as Microsoft CryptoAPI), is that it enables developers to secure Window-based applications using cryptography and provides functionality for encrypting and decrypting digital certificates.
This security flaw allows malicious programmers to create malware and mask them as normal applications that are signed by renowned and trusted software companies.
This is the first time in history that the NSA is accepting attribution for finding a vulnerability. While it is not the first time the NSA has found vulnerabilities, it is the first time they have publicly made an announcement. Since it is an action out of the norm, it is worth questioning whether the NSA publicly reporting the vulnerability is due to pure intentions or not.
This is a loaded question. However, there is no doubt that the actions taken by the NSA will prevent bad actors and foreign governments from taking advantage of this vulnerability. On the other hand, you can also count on the NSA to take full advantage of flaws present and mine all relevant data before going public with this breaking news. It is unclear how long the NSA knew about the flaw before reporting the issue to Microsoft.
Two years ago, a previous NSA exploit, known as EternalBlue, leaked and lead to the WannaCry ransomware attacks. The 2013 surveillance revelations coupled with the EternalBlue leak created havoc online and tarnished NSA’s image. This new act may be a way for NSA to redeem itself and rehabilitate its image amongst the infosec community. The reporting of the security flaw is, however, a move that is far from NSA’s prior positions.
Count on the fact that most foreign governments will exploit security flaws for their own advantages if given the opportunity. You can also count on the fact that if you are not proactively protecting yourself online, your data will be collected without your knowledge. Protect yourself with PrivadoVPN.