Windows 10: NSA reveals major flaw in Microsoft's code:
The US National Security Agency (NSA) has revealed a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate.
Microsoft is expected to issue a patch later and to say that the bug has not been exploited by hackers.
The issue was revealed during an NSA press conference.
It was not clear how long it had known about it before revealing it to Microsoft.
Brian Krebs, the security expert who first reported the revelation[*], said the software giant had already sent the patch to branches of the US military and other high-level users. It was, he wrote, "extraordinarily scary".
The problem exists in a core component of Windows known as crypt32.dll, a program that allows software developers to access various functions, such as digital certificates which are used to sign software.
It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.
https://kb.cert.org/vuls/id/849224/
The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC [Elliptic Curve Cryptography] certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.
Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.
(Score: 1) by bmimatt on Wednesday January 15 2020, @08:16AM
Whaaaaa? That's impossible, given MS's impeccable security record over last 2+ decades. This must be an example of the 'fake news' people have been warning us about. /s
Seriously though, it's interesting they send out patches to the gov and mil first, what is essentially a canary release, even if it is a simple patch. What could possibly go wrong?
(Score: 2, Informative) by Anonymous Coward on Wednesday January 15 2020, @08:17AM (5 children)
This is so much worse than a back door that lets only certain people in. This is a whole wall missing. According to the CERT advisory,
Anything that depends on a certificate is screwed. Probably too big of a hole for even the NSA to keep to itself once weaponized or they spotted it in the wild against government systems.
(Score: 2) by driverless on Wednesday January 15 2020, @10:18AM (2 children)
As opposed to what attackers have been doing for years, stealing or buying fraudulent code-signing certs that allow them to do all that and more. This is only scary if you're part of the tiny subset of people who insist on pretending that X.509 works.
(Score: 1, Insightful) by Anonymous Coward on Wednesday January 15 2020, @11:50AM
This is only not scary if you're part of the tiny subset of people who insist on pretending that X.509 does not work.
(Score: 0) by Anonymous Coward on Wednesday January 15 2020, @02:24PM
Apparently that tiny subset includes microsoft.
(Score: 0) by Anonymous Coward on Wednesday January 15 2020, @03:52PM (1 child)
Duh! Why do people put windows on a wall? To let the outside in. That's why it's called Windows.
(Score: 0) by Anonymous Coward on Friday January 17 2020, @11:17AM
If Facebook made an OS it would be called Walls.
Think about that for a moment.
(Score: 4, Interesting) by canopic jug on Wednesday January 15 2020, @08:30AM (6 children)
What are the actual dates between original discovery and now? The date on which the exploit becomes known is not necessarily the same as the date the vendor is notified. Furthermore, the date on which the vendor issues a patch is not necessarily the same date it is notified.
I bet it was known to and used by the NSA a long time and that they gave up this exploit only because other countries were starting to abuse it too. For all we know the exploit could have been known to and in use by the NSA since the beginning. Neither the Kreb's post nor the BBC article shine light on this. Each year the mitigation of M$ security holes becomes more opaque despite them being large enough to drive a semi through.
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by maxwell demon on Wednesday January 15 2020, @08:39AM (4 children)
Of course not. Unless either the fix is trivial or the vendor had known it before and decided to sit on it, it will definitely take time to develop the patch.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by canopic jug on Wednesday January 15 2020, @08:54AM (3 children)
M$ usually takes months to years to develop a patch, as its past record shows. Using the same record it is shown that they usually need two or three tries to get the patch to work and to make patches for the bugs that the patch itself introduces. I notice that mitigations are no longer announced either. Without either mitigations or actual working patches, the window of opportunity for those exploiting Windows users must have been quite long.
There are very few details even in the CVE so this one must have been quite good.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Wednesday January 15 2020, @09:21AM
CVEs like this are usually kept mostly secret until a majority of the user base is patched in an attempt to slow reverse engineering. I'd expect to see more details in a week or two. If not, someone (or twenty) will beat them to the punch by doing a binary analysis of the patch and comparing it to the previous version of the library on their blog.
(Score: 3, Insightful) by DannyB on Wednesday January 15 2020, @04:00PM (1 child)
<no-sarcasm>
Theory:
NSA had already weaponized this. AND understood exactly how to fix it. Time passes . . .
Suddenly, NSA discovers this is out in the open and about to be used against us, so it pretends to be the good guy and hands this to Microsoft along with information on how to immediately fix it.
</no-sarcasm>
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 0) by Anonymous Coward on Wednesday January 15 2020, @07:43PM
i assume this is standard operating procedure.
(Score: 0) by Anonymous Coward on Friday January 17 2020, @09:53AM
Once a disclosure is given go and look for the first version of crypt32.dll to include ECC support. Try the proof of concept on it, see if it works and follow the codepaths to see if the correct function call order is done. If it is not or looks suspect, disassemble or use ghidra/IDA Pro to decompile and look at the logic and code flow.
Rinse and repeat for each major release RTM to check if certain versions are found (in)secure.
In all likelyhood I assume this has been around since the beginning which is why I simply disabled the certficiate manager and only turned it on when i had to install software. That killed most software installs for 'trusted' software until I checked the certs and in some cases manually installed them.
(Score: 5, Interesting) by bradley13 on Wednesday January 15 2020, @09:03AM (2 children)
"She added that the agency had decided to make its involvement in the discovery public at Microsoft's request."
In other words: the NSA discovered this, and has been actively exploiting it. Microsoft caught them at it, and was going to issue the patch.
But patches come with explanations, and that would have been embarrassing for the NSA. So Microsoft gave them a chance to save face. Which has nothing to do with Microsoft's lucrative governmental contracts. Nothing at all...
The secret agencies in the US government are out of control. We've known this at least since Snowdon, but apparently no one cares...
Everyone is somebody else's weirdo.
(Score: 3, Informative) by DannyB on Wednesday January 15 2020, @04:01PM (1 child)
Nobody who can do anything about it cares.
Anyone who cares has no power. What? You think your vote means something?
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 0) by Anonymous Coward on Thursday January 16 2020, @03:36PM
Those with power to do something about it care.
They just are on the other side.
(Score: 0) by Anonymous Coward on Wednesday January 15 2020, @09:21AM
no matter what third-party "hackers" do or don't
(Score: 2) by The Mighty Buzzard on Wednesday January 15 2020, @02:38PM (3 children)
It affected all versions of Windows that were still under support not just 10.
My rights don't end where your fear begins.
(Score: 2) by Osamabobama on Wednesday January 15 2020, @09:50PM (1 child)
So, does that include Windows 7? I mean, the story did come out yesterday...
Never mind; apparently it does not. From TFA:
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by arslan on Wednesday January 15 2020, @10:56PM
No it doesn't, not the this particular one that's related to the cryptoAPI cve as far as I can tell. It only affects Win 10, Win Server 2016 and 2019.
(Score: 0) by Anonymous Coward on Thursday January 16 2020, @08:02PM
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 [microsoft.com]
(Score: 1, Offtopic) by jmichaelhudsondotnet on Wednesday January 15 2020, @03:23PM (1 child)
My first message to microsoft and the nsa and everyone with windows 10 installed:
https://archive.is/sE7LF [archive.is]
Anyone hit by this bug must accept they were warned. This is a company that routinely does this sort of shit.
Everythign the NSA has is shared with israel and the mafia, and used to drive the united states to civil war while sending fodder to iraq etc:
https://archive.is/SiNIS [archive.is]
https://archive.is/EoIML [archive.is]
https://archive.is/Eu1Z4 [archive.is]
So what would it look like if competent people were in charge who understood the meaning of the words trust, reliability and security?
Headlines in alternate non-fucked reality:
NSA: Windows 10 Fucks Our Shit Up Goddamit Make Their Crypto Illegal
Israel: Please, please let us have a single piece of information? No, ok, maybe next time if we ask nicer?
Users: I love windows 10, it is stable and reliable, ransomware attacks never work and we only have to update once a year! And no one is reading our mind!
Government: This sure is great everything we have is not swiss cheese
Schools: This sure is great that every spy in the world doesn't get the children's test data (https://archive.is/eSLh7)
(Score: 0) by Anonymous Coward on Saturday January 18 2020, @04:23PM
Take yer meds, dude.