The CVE-2020-0601 vulnerability marks the first time when Microsoft credited the NSA for reporting a bug

[He Who Points And Laughs]

Microsoft fixes Windows crypto bug reported by the NSA (http://archive.is/JsScb)

Microsoft has released a security update today to fix "a broad cryptographic vulnerability" impacting the Windows operating system.

The bug was discovered and reported by the US National Security Agency (NSA), NSA Director of Cybersecurity Anne Neuberger said in a press call today.

The CVE-2020-0601 bug
The vulnerability, tracked as CVE-2020-0601, impacts the Windows CryptoAPI, a core component of the Windows operating system that handles cryptographic operations.

According to a security advisory published today, "a spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates."

Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."

But besides faking file signatures, the bug could also be used to fake digital certificates used for encrypted communications.

"A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software," Microsoft also said.

According to Microsoft, this vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions.

Microsoft and the NSA said they have not seen any active attacks exploiting this bug prior to today's patch.

 

[Thumb Butler]

Yeah, I'm totally trusting NSA.

 

[He Who Points And Laughs]

Yeah, I'm totally trusting NSA.

So you're not going to patch any of the vulnerable windows systems you control?

 

[Thumb Butler]

Windows 10 update bricked my computer. I had to reset it and hasn't updated since October (I blocked it by pretending to have a data cap). I'm doing fine.

 

[Coffee Shits]

Who cares? If you're running Windows 10 you've forfeited your privacy and consumer rights anyway.

 

[He Who Points And Laughs]

If this RCE could have granted NT AUTHORITY\SYSTEM, do you think the NSA would have disclosed it at all, or do you think they would have kept it in their arsenal like they did with Eternalblue/DoublePulsar?

 

[RA-5C Vigilante]

I'd like to hear that boardroom conversation when the Microsoft employees had to explain to their boss that the NSA of all people did their bug testing better then them.

 

[Pope Negro Joe the XIIIth]

I'd like to hear that boardroom conversation when the Microsoft employees had to explain to their boss that the NSA of all people did their bug testing better then them.

Why would this be different from the time when literally anyone bug tested Windows better than them?

You know, any time.

 

[CIA Nigger]

I'd like to hear that boardroom conversation when the Microsoft employees had to explain to their boss that the NSA of all people did their bug testing better then them.

This is Microsoft, their customers do the bug testing for them. Even if this all comes at the cost of your My Documents folder.

 

[REGENDarySumanai]

Not really surprised by this since NSA does a lot of computer stuff, though it's mainly related to Linux. Feel free to use their stuff from their two github pages though.

 

[Yotsubaaa]

Microsoft says that an attacker could exploit this bug "to sign a malicious executable, making it appear the file was from a trusted, legitimate source."

Don't have to worry about malicious signing if you just don't even provide the checksums for your Windows 10 ISOs!
(black_guy_tapping_temple.gif)

Does Microsoft publish the checksums of the Windows 10 ISO files ? - …

archived 14 Jan 2020 23:17:53 UTC

archive.li

Learned about this annoyance the other day at work.

 

[byuu]

Better headline, courtesy of n-gate:

The National Security Agency, for the first time in recorded history, contributes as an Agency to the Security of the Nation.

 

[Grotesque Bushes]

Remember those ads saying you should switch from win7 to 10 for security reasons? Joke's on them.

 

[MAPK phosphatase]

Eternalblue/DoublePulsar

We need more NSA leaks purely so we can hear more of these fucking awesome codenames.

 

[Honka Honka Burning Love]

Better headline, courtesy of n-gate:

*slow clap* I loled at that one.

 

[Vecr]

I'm still running on win7 and have been backing stuff up to update to 10. Is it really that bad? Yeesh...

Try the "Am I Vulnerable" link at the top of the page or at https://testcve.kudelskisecurity.com/.

 

[DidYouJustSayThat]

So what are the odds, that this was a backdoor, originally developed by NSA or at least known and used by them for years until they found out, that 3rd parties have discovered it as well? A private backdoor becoming public is a liability so the disclosure is an an attempt to save face and do damage control.

 

[Cedric_Eff]

This is legit concerning to me. My system’s been acting weird and I can’t update Windows 10 for some reason.

 

[Looney Troons]

The past few years haven’t been kind to Microsoft. So many egregious vulnerabilities coming out of the woodwork, a perpetual game of whack-a-mole because they can never seem to patch one before two more (“critical”) vulnerabilities arise.

Since 2017, depending on your enterprise agreement with Microsoft, they’ve been offering their own “professional services” to help mitigate Windows-related vulnerabilities. Even without the enterprise agreement, this is usually a more cost-efficient route than hiring some to manage SCCM/WSUS.

Everyone is eager to jump onto the O365 service to handle everything. No company I’ve worked for within the last ~5 years has a bare metal or hybrid mail solution anymore - trust in the cloud. Microsoft has been trying to tap into the SaaS market for a while, and I think 2020 might be the year they manage. What’s really stopping them from offering agents, a la LanDESK or OpsRamp that will allow for them to alert on and patch especially heinous vulnerabilities as they’re published? Gotta watch and wait for signatures and checks to be written for most scanning utilities.

edit: phrasing and grammar

 

[Borax Bozo]

So this drops as soon as Win 7 is out of support - are the majority of machines out there just fucked?