The CVE-2020-0601 vulnerability marks the first time when Microsoft credited the NSA for reporting a bug

He Who Points And Laughs

He Who Points And Laughs

Flavortown Refugee
kiwifarms.net
Joined
Sep 18, 2017
Microsoft fixes Windows crypto bug reported by the NSA (http://archive.is/JsScb)

Microsoft has released a security update today to fix "a broad cryptographic vulnerability" impacting the Windows operating system.

The bug was discovered and reported by the US National Security Agency (NSA), NSA Director of Cybersecurity Anne Neuberger said in a press call today.

The CVE-2020-0601 bug
The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.

According to a security advisory published today, "a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates."

Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."

But besides faking file signatures, the bug could also be used to fake digital certificates used for encrypted communications.

"A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft also said.

According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

Microsoft and the NSA said they have not seen any active attacks exploiting this bug prior to today's patch.
 
Last edited by a moderator:
  • Informative
  • Winner
Reactions: MagneticTowels, Jellyfish, Ralph Barnhardt and 9 others
RA-5C Vigilante said:
I'd like to hear that boardroom conversation when the Microsoft employees had to explain to their boss that the NSA of all people did their bug testing better then them.
Click to expand...

Why would this be different from the time when literally anyone bug tested Windows better than them?

You know, any time.
 
  • Like
  • Winner
  • Agree
Reactions: President Joe Biden, OmnipotentStupidity, Chaptersevenbankruptcy and 9 others
RA-5C Vigilante said:
I'd like to hear that boardroom conversation when the Microsoft employees had to explain to their boss that the NSA of all people did their bug testing better then them.
Click to expand...
This is Microsoft, their customers do the bug testing for them. Even if this all comes at the cost of your My Documents folder.
 
  • Like
  • Agree
Reactions: research, Articuno4, simulated goat and 7 others
Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."
Click to expand...
Don't have to worry about malicious signing if you just don't even provide the checksums for your Windows 10 ISOs!
(black_guy_tapping_temple.gif)
archive.li

Does Microsoft publish the checksums of the Windows 10 ISO files ? - …

archived 14 Jan 2020 23:17:53 UTC
archive.li archive.li
Learned about this annoyance the other day at work.
 
  • Informative
  • Like
  • Thunk-Provoking
Reactions: Token Weeaboo, Hal, Articuno4 and 3 others
So what are the odds, that this was a backdoor, originally developed by NSA or at least known and used by them for years until they found out, that 3rd parties have discovered it as well? A private backdoor becoming public is a liability so the disclosure is an an attempt to save face and do damage control.
 
Last edited:
  • Agree
  • Like
  • Thunk-Provoking
Reactions: TLS, HumanHive, UnimportantFarmer and 17 others
This is legit concerning to me. My system’s been acting weird and I can’t update Windows 10 for some reason.
 
  • Thunk-Provoking
Reactions: Tookie
The past few years haven’t been kind to Microsoft. So many egregious vulnerabilities coming out of the woodwork, a perpetual game of whack-a-mole because they can never seem to patch one before two more (“critical”) vulnerabilities arise.

Since 2017, depending on your enterprise agreement with Microsoft, they’ve been offering their own “professional services” to help mitigate Windows-related vulnerabilities. Even without the enterprise agreement, this is usually a more cost-efficient route than hiring some to manage SCCM/WSUS.

Everyone is eager to jump onto the O365 service to handle everything. No company I’ve worked for within the last ~5 years has a bare metal or hybrid mail solution anymore - trust in the cloud. Microsoft has been trying to tap into the SaaS market for a while, and I think 2020 might be the year they manage. What’s really stopping them from offering agents, a la LanDESK or OpsRamp that will allow for them to alert on and patch especially heinous vulnerabilities as they’re published? Gotta watch and wait for signatures and checks to be written for most scanning utilities.

edit: phrasing and grammar
 
  • Like
  • Agree
Reactions: simulated goat, spiritofamermaid, Coolio55 and 1 other person
You must log in or register to reply here.
Back