A vulnerability leak in Windows 10 has put Microsoft security experts at risk. Because in connection with a regular security update for his Windows operating system, information about a vulnerability was apparently circulating in circles of IT security researchers on Tuesday that should not actually be made public.
The vulnerability was described in two blog posts by IT security companies, but was not corrected in the security update published by Microsoft at the same time. A procedure that IT security experts are actually trying to avoid. Microsoft has thus set up a visible light arrow next to a small door, the lock of which hackers now only have to crack. Security experts now fear that criminals will develop suitable malware to take advantage of the vulnerability. Such a tool would be easier for tech-savvy hackers to make if they knew what the vulnerability looked like.
Large software companies often make security holes public once they have found them. This often happens in cooperation with IT security companies – apparently this was also planned in the current case. However, the information should not be made public until the vulnerabilities have been closed. The fact that this did not happen in the current case prompted criticism from IT security experts such as security researcher Jake Williams.
Windows users can protect themselves with one click
It was only after two days, this Thursday, that Microsoft released a security update to fix the vulnerability. The Federal Office for Information Security (BSI) advises Windows users to download it here and install it immediately.
The vulnerability potentially affects all users of Windows 10 who have updated their system since September 2019. Specifically, the gateway is in the so-called SMBv3 system. This function in Windows 10 ensures, for example, that a computer can connect to printers via the WiFi.
IT security researchers are particularly alarmed by the vulnerability because WannaCry and NotPetya, two of the most harmful Trojans of recent years, exploited a very similar Windows vulnerability to spread worldwide. WannaCry and NotPetya are extortion Trojans that encrypt their victims’ data and have caused significant damage to many corporations and private individuals. They functioned like a worm that spread independently, especially in company networks, if it could infect a single computer. They paralyzed globally operating shipping companies such as Maersk and Deutsche Bahn display boards.
The BSI describes the gap as “critical”. However, the risk is lower than with WannaCry or NotPetya. This is because hackers always need malware to take advantage of the vulnerability. In the case of WannaCry and NotPetya, they had particularly effective tools on hand to penetrate deep into their victims’ computer systems. This was not the case with the current vulnerability.
In addition, many routers that users use to access the network from home block a crucial channel that Trojans can use to attack. The BSI and Microsoft emphasized that no exploitation of the vulnerability has been observed so far. “That could certainly change in the short term,” says the BSI.
However, the current SMBv3 security vulnerability forces administrators of larger networks, for example in companies, to act. “For private individuals, the risk tends to be lower than in corporate networks,” said a BSI spokesman for the SZ. This is because SMB connections are used more often in larger networks, for example to send files to an office printer or to connect to network hard drives.