Cryptic Rumblings Ahead of First 2020 Patch Tuesday (krebsonsecurity.com) 37
Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."
NSAKEY (Score:5, Funny)
Re:NSAKEY (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
They've upgraded the ROT13 cipher to double ROT13 for extra security.
Wrong. They use eight (8) loops. If two is more secure than one, just imagine how much secue 8 will be.
Re: (Score:2)
Why are we still using outdated ROT 13? ROT 26 is where it's at!
Re: (Score:2)
Probably more like... a new one has long been in place, and some researcher figured out the older back door.
Likely a way of making the client or server API think an unsigned cert is a trusted CA cert valid for TLS for any arbitrary hostname, and when setting a bit the client or server will render its private keys hidden in the certificate download.
More likely is is diss information (Score:1)
Re: (Score:3)
Re: (Score:1)
Does it burn your house down as well?
Windows 10 Home & Professional do.
Windows 10 Enterprise is only suitable for burning office buildings, missile launch sites, laboratories, etc.
Re: (Score:1)
Re: (Score:2)
When people complain about capitalism, they actually complain about Amazon, Microsoft, Oracle, Facebook, all New York banks etc. A few godlike owners establishing a company that is intelligent, greedy, unethical and power-hungry. And despite as a company and most of the senior management having become absolutely filthy stinking rich, rich beyond everyone's wildest dreams even, they are always down to save on neccessities and earn through malevolence. Spending less on quality control, safety testing and over
Re: (Score:2)
Given that there have been vulns in there that would, for example, hand your private key out to anyone who asked for it, you have to wonder what this is if it's "extraordinarily serious". Does it burn your house down as well?
No pyrotechnics, but it does breach your trust like a long time friend, and then it dates your sister... not the pretty one, but the one who kind of looks like you.
Doubt it's disinfo (Score:2)
Given that there have been vulns in there that would, for example, hand your private key out to anyone who asked for it, you have to wonder what this is if it's "extraordinarily serious". Does it burn your house down as well?
Since NSA is the party that discovered this bug, my bet is that they were researching new ways to plant malware in Windows... for doing things like planting Trojans in Iranian nuclear research servers... and that in doing so, they found the bug. Which means that they think its a pretty damn serious bug. That would mean that they judged the danger to Western server systems as being more grave than any advantage they had backdooring enemy systems.
Re: (Score:2)
Windows 7 has run out of support on Tuesday 14th. The very same day, the most critical security flaw in the history of Windows is reported which will most likely NOT get patched for Windows 7. On the same day.
That is a tiny bit coincidental, isn't it?
Microsoft selling more Windows 10 upgrades and the NSA getting always-connected Windows 10 into more homes can't possibly be in the mutual interest of both parties. No. That is all a conspiracy theory. Super-critical flaws and end-of-support-dates just coincide
Re: (Score:2)
No. That is all a conspiracy theory.
Yep, conspiracy theory. Windows 7 gets updates today, so your entire point is moot.
No patch for Win 7 (Score:2)
Yep, conspiracy theory. Windows 7 gets updates today, so your entire point is moot.
As of this posting, nothing but Win 10 and Windows Server is supported for this patch. Nice job, Microsoft.
https://www.catalog.update.mic... [microsoft.com]
Re: (Score:2)
As of this posting, nothing but Win 10 and Windows Server is supported for this patch. Nice job, Microsoft.
Looks like this one only applies to Win 10 era windows.
I can't believe I'm quoting from US-CERT mailing list which has consistently provided old news, useless data and comical advice ever since it was taken over by the US government a lifetime ago.
"This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019."
"This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling un
Re: (Score:2)
That may be because the Win7 version of CryptoAPI never supported the explicit ECDSA params that are required to make the attack work.
Another point is that it's yet another vuln in X.509 certs, which for the vast majority of use, the web, do nothing anyway, so most people won't even notice it's there.
Re: (Score:2)
Responsible disclosure (Score:4, Insightful)
When sufficient developed responsible disclosure [wikipedia.org] is indistinguishable from either black or foil hattery.
Win7 (Score:3)
Is Win7 getting this patch?
If not, an âoeextraordinarily seriousâ crypto hole being the first item to hit as soon as Win7 goes EOL would really set the tin foil hats going.
Re:Win7 (Score:5, Informative)
Yes, Windows 7 would get this patch. Today is the final regular patch release for that OS; so anything getting fixed today in Windows will include Win7.
Re: (Score:2)
No, it's not the final regular patch release. It's the final FREE regular patch release. Those with Windows 7 support plans will get security updates
I think Windows 7 can still get another year of updates, but you're going to have to pay for it.
Re: (Score:3)
So here is the link to the last set of Windows 7 updates [microsoft.com].
Good luck to all!
Microsoft NSA Backdoor © (Score:2)
Microsoft gave US intelligence agencies
Lots of "could" and "might". (Score:2)
Hard to say much more since we don't know much about the actual vulnerability. I guess we will know more later today.
Re: (Score:2)
Just be patient! You will learn everything about this hole, when in a few months criminals fleece the next major corporation of terabytes of customer data from an unpatched internet facing server ...
Re: (Score:1)
(yes that was one sentence)
Still no patch. . . (Score:2)
. . . usually, Micro$oft would have the patch out by now on Patch Tuesday. . .
Translation (Score:2)
Looks like it might be KB45228760 (Score:2)
https://www.catalog.update.mic... [microsoft.com]
Re: (Score:2)
Correction on that typo: KB4528760
KB link: https://support.microsoft.com/... [microsoft.com]
Doesn't say much...
Updates to improve security when storing and managing files.
Updates to improve security when using input devices such as a mouse, keyboard, or stylus.
Re: (Score:2)
Here's the vulnerability https://kb.cert.org/vuls/id/84... [cert.org]
Here's the Microsoft CVE https://portal.msrc.microsoft.... [microsoft.com]
And yes, it links to KB45228760 for many systems.