SoylentNews

Windows 10: NSA Reveals Major Flaw in Microsoft's Code

posted by chromas on Wednesday January 15 2020, @07:42AM   
from the Ruh-Roh! dept.

martyb writes:

Windows 10: NSA reveals major flaw in Microsoft's code:

The US National Security Agency (NSA) has revealed a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.

Microsoft is expected to issue a patch later and to say that the bug has not been exploited by hackers.

The issue was revealed during an NSA press conference.

It was not clear how long it had known about it before revealing it to Microsoft.

Brian Krebs, the security expert who first reported the revelation[*], said the software giant had already sent the patch to branches of the US military and other high-level users. It was, he wrote, "extraordinarily scary".

The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.

It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.

[*] Cryptic Rumblings Ahead of First 2020 Patch Tuesday.

An Anonymous Coward writes:

https://kb.cert.org/vuls/id/849224/

The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC [Elliptic Curve Cryptography] certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.

Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.

---

Original Submission 0, Original Submission 1

• everything about this is wrong everything about this is wrong (Score: 1, Offtopic) by jmichaelhudsondotnet on Wednesday January 15 2020, @03:23PM (1 child)

  by jmichaelhudsondotnet (8122) on Wednesday January 15 2020, @03:23PM (#943607) Journal

  My first message to microsoft and the nsa and everyone with windows 10 installed:

  https://archive.is/sE7LF [archive.is]

  Anyone hit by this bug must accept they were warned. This is a company that routinely does this sort of shit.

  Everythign the NSA has is shared with israel and the mafia, and used to drive the united states to civil war while sending fodder to iraq etc:

  https://archive.is/SiNIS [archive.is]
  https://archive.is/EoIML [archive.is]
  https://archive.is/Eu1Z4 [archive.is]

  So what would it look like if competent people were in charge who understood the meaning of the words trust, reliability and security?

  Headlines in alternate non-fucked reality:

  NSA: Windows 10 Fucks Our Shit Up Goddamit Make Their Crypto Illegal
  Israel: Please, please let us have a single piece of information? No, ok, maybe next time if we ask nicer?
  Users: I love windows 10, it is stable and reliable, ransomware attacks never work and we only have to update once a year! And no one is reading our mind!
  Government: This sure is great everything we have is not swiss cheese
  Schools: This sure is great that every spy in the world doesn't get the children's test data (https://archive.is/eSLh7)

  Starting Score:	1		point
  Moderation		-1
  Offtopic=1, Total=1
  Extra 'Offtopic' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		1

• Re:everything about this is wrong (Score: 0) by Anonymous Coward on Saturday January 18 2020, @04:23PM

  by Anonymous Coward on Saturday January 18 2020, @04:23PM (#944991)

  Take yer meds, dude.

  Parent