Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Windows 10: NSA Reveals Major Flaw in Microsoft's Code

posted by chromas on Wednesday January 15 2020, @07:42AM   Printer-friendly
from the Ruh-Roh! dept.

martyb writes:

Windows 10: NSA reveals major flaw in Microsoft's code:

The US National Security Agency (NSA) has revealed a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.

Microsoft is expected to issue a patch later and to say that the bug has not been exploited by hackers.

The issue was revealed during an NSA press conference.

It was not clear how long it had known about it before revealing it to Microsoft.

Brian Krebs, the security expert who first reported the revelation[*], said the software giant had already sent the patch to branches of the US military and other high-level users. It was, he wrote, "extraordinarily scary".

The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.

It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.

[*] Cryptic Rumblings Ahead of First 2020 Patch Tuesday.

An Anonymous Coward writes:

https://kb.cert.org/vuls/id/849224/

The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC [Elliptic Curve Cryptography] certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.

Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.

Original Submission 0, Original Submission 1

 
This discussion has been archived. No new comments can be posted.
Windows 10: NSA Reveals Major Flaw in Microsoft's Code | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by The Mighty Buzzard on Wednesday January 15 2020, @02:38PM (3 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Wednesday January 15 2020, @02:38PM (#943584) Homepage Journal

    It affected all versions of Windows that were still under support not just 10.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Osamabobama on Wednesday January 15 2020, @09:50PM (1 child)

    by Osamabobama (5842) on Wednesday January 15 2020, @09:50PM (#943799)

    It affected all versions of Windows that were still under support...

    So, does that include Windows 7? I mean, the story did come out yesterday...

    Never mind; apparently it does not. From TFA:

    The flaw is also an issue in Windows Server 2016 and 2019, but does not appear to affect older versions of the operating system.

    --
    Appended to the end of comments you post. Max: 120 chars.

    • (Score: 2) by arslan on Wednesday January 15 2020, @10:56PM

      by arslan (3462) on Wednesday January 15 2020, @10:56PM (#943818)

      No it doesn't, not the this particular one that's related to the cryptoAPI cve as far as I can tell. It only affects Win 10, Win Server 2016 and 2019.

  • (Score: 0) by Anonymous Coward on Thursday January 16 2020, @08:02PM

    by Anonymous Coward on Thursday January 16 2020, @08:02PM (#944194)

    Are older versions than Windows 10 versions affected by this vulnerability?

    No, only Windows 10 versions of the OS are affected. In the initial release of Windows 10 (Build 1507, TH1), Microsoft added support for ECC parameters configuring ECC curves. Prior to this, Windows only supported named ECC curves. The code which added support for ECC parameters also resulted in the certificate validation vulnerability. It was not a regression, and versions of Windows which don’t support ECC parameters configuring ECC curves (Server, 2008, Windows 7, Windows 8.1 and servers) were not affected.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 [microsoft.com]