SoylentNews is people
SoylentNews
Windows 10: NSA reveals major flaw in Microsoft's code:
The US National Security Agency (NSA) has revealed a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.
Microsoft is expected to issue a patch later and to say that the bug has not been exploited by hackers.
The issue was revealed during an NSA press conference.
It was not clear how long it had known about it before revealing it to Microsoft.
Brian Krebs, the security expert who first reported the revelation[*], said the software giant had already sent the patch to branches of the US military and other high-level users. It was, he wrote, "extraordinarily scary".
The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.
It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.
[*] Cryptic Rumblings Ahead of First 2020 Patch Tuesday.
https://kb.cert.org/vuls/id/849224/
The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC [Elliptic Curve Cryptography] certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.
Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.
(Score: 5, Interesting) by bradley13 on Wednesday January 15 2020, @09:03AM (2 children)
"She added that the agency had decided to make its involvement in the discovery public at Microsoft's request."
In other words: the NSA discovered this, and has been actively exploiting it. Microsoft caught them at it, and was going to issue the patch.
But patches come with explanations, and that would have been embarrassing for the NSA. So Microsoft gave them a chance to save face. Which has nothing to do with Microsoft's lucrative governmental contracts. Nothing at all...
The secret agencies in the US government are out of control. We've known this at least since Snowdon, but apparently no one cares...
Everyone is somebody else's weirdo.
(Score: 3, Informative) by DannyB on Wednesday January 15 2020, @04:01PM (1 child)
Nobody who can do anything about it cares.
Anyone who cares has no power. What? You think your vote means something?
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 0) by Anonymous Coward on Thursday January 16 2020, @03:36PM
Those with power to do something about it care.
They just are on the other side.