Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Windows Microsoft Security

Cryptic Rumblings Ahead of First 2020 Patch Tuesday (krebsonsecurity.com) 37

Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."
This discussion has been archived. No new comments can be posted.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Comments Filter:
  • NSAKEY (Score:5, Funny)

    by Arthur, KBE ( 6444066 ) on Tuesday January 14, 2020 @04:27AM (#59618614)
    Must have finally expired.
    • Re:NSAKEY (Score:5, Funny)

      by arglebargle_xiv ( 2212710 ) on Tuesday January 14, 2020 @04:56AM (#59618634)
      They've upgraded the ROT13 cipher to double ROT13 for extra security.
    • by mysidia ( 191772 )

      Probably more like... a new one has long been in place, and some researcher figured out the older back door.

      Likely a way of making the client or server API think an unsigned cert is a trusted CA cert valid for TLS for any arbitrary hostname, and when setting a bit the client or server will render its private keys hidden in the certificate download.

  • Before they install yet another backdoor... I wonder who its if for this time...
    • Given that there have been vulns in there that would, for example, hand your private key out to anyone who asked for it, you have to wonder what this is if it's "extraordinarily serious". Does it burn your house down as well?
      • Does it burn your house down as well?

        Windows 10 Home & Professional do.

        Windows 10 Enterprise is only suitable for burning office buildings, missile launch sites, laboratories, etc.

      • It is serious as MS has enough money to review such things, but does not. But like Boeing, some flunky self-certification process gets the boxes ticked and approved for production use. Past performance is a good predictor ... An educated guess would suspect the temporary storage is not blanked asap, so entropy and private keys can be got at by memory rummaging, also enhanced by all those Intel CPU work-arounds. Then there is the double byte thing, and failure to code otherwise conditions.
        • When people complain about capitalism, they actually complain about Amazon, Microsoft, Oracle, Facebook, all New York banks etc. A few godlike owners establishing a company that is intelligent, greedy, unethical and power-hungry. And despite as a company and most of the senior management having become absolutely filthy stinking rich, rich beyond everyone's wildest dreams even, they are always down to save on neccessities and earn through malevolence. Spending less on quality control, safety testing and over

      • Given that there have been vulns in there that would, for example, hand your private key out to anyone who asked for it, you have to wonder what this is if it's "extraordinarily serious". Does it burn your house down as well?

        No pyrotechnics, but it does breach your trust like a long time friend, and then it dates your sister... not the pretty one, but the one who kind of looks like you.

      • Given that there have been vulns in there that would, for example, hand your private key out to anyone who asked for it, you have to wonder what this is if it's "extraordinarily serious". Does it burn your house down as well?

        Since NSA is the party that discovered this bug, my bet is that they were researching new ways to plant malware in Windows... for doing things like planting Trojans in Iranian nuclear research servers... and that in doing so, they found the bug. Which means that they think its a pretty damn serious bug. That would mean that they judged the danger to Western server systems as being more grave than any advantage they had backdooring enemy systems.

        • Windows 7 has run out of support on Tuesday 14th. The very same day, the most critical security flaw in the history of Windows is reported which will most likely NOT get patched for Windows 7. On the same day.

          That is a tiny bit coincidental, isn't it?

          Microsoft selling more Windows 10 upgrades and the NSA getting always-connected Windows 10 into more homes can't possibly be in the mutual interest of both parties. No. That is all a conspiracy theory. Super-critical flaws and end-of-support-dates just coincide

          • by Zak3056 ( 69287 )

            No. That is all a conspiracy theory.

            Yep, conspiracy theory. Windows 7 gets updates today, so your entire point is moot.

            • Yep, conspiracy theory. Windows 7 gets updates today, so your entire point is moot.

              As of this posting, nothing but Win 10 and Windows Server is supported for this patch. Nice job, Microsoft.
              https://www.catalog.update.mic... [microsoft.com]

              • As of this posting, nothing but Win 10 and Windows Server is supported for this patch. Nice job, Microsoft.

                Looks like this one only applies to Win 10 era windows.

                I can't believe I'm quoting from US-CERT mailing list which has consistently provided old news, useless data and comical advice ever since it was taken over by the US government a lifetime ago.

                "This vulnerability affects all machines running 32- or 64-bit Windows 10 operating systems, including Windows Server versions 2016 and 2019."

                "This vulnerability allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store, enabling un

              • That may be because the Win7 version of CryptoAPI never supported the explicit ECDSA params that are required to make the attack work.

                Another point is that it's yet another vuln in X.509 certs, which for the vast majority of use, the web, do nothing anyway, so most people won't even notice it's there.

    • by Dunbal ( 464142 ) *
      Everyone except the actual owner of the machine.
  • by Martin S. ( 98249 ) on Tuesday January 14, 2020 @04:45AM (#59618624) Journal

    When sufficient developed responsible disclosure [wikipedia.org] is indistinguishable from either black or foil hattery.

  • by malx ( 7723 ) on Tuesday January 14, 2020 @05:46AM (#59618674)

    Is Win7 getting this patch?

    If not, an âoeextraordinarily seriousâ crypto hole being the first item to hit as soon as Win7 goes EOL would really set the tin foil hats going.

    • Re:Win7 (Score:5, Informative)

      by rsmith-mac ( 639075 ) on Tuesday January 14, 2020 @06:39AM (#59618754)

      Yes, Windows 7 would get this patch. Today is the final regular patch release for that OS; so anything getting fixed today in Windows will include Win7.

      • by tlhIngan ( 30335 )

        Today is the final regular patch release for that OS; so anything getting fixed today in Windows will include Win7.

        No, it's not the final regular patch release. It's the final FREE regular patch release. Those with Windows 7 support plans will get security updates

        I think Windows 7 can still get another year of updates, but you're going to have to pay for it.

    • by 4pins ( 858270 )

      So here is the link to the last set of Windows 7 updates [microsoft.com].

      Good luck to all!

  • Did the NSA help Microsoft on securing their core cryptographic component, as in making it less secure :]

    Microsoft gave US intelligence agencies .. ability to read encrypted messages in outlook [relianceacsn.co.uk]
  • Hard to say much more since we don't know much about the actual vulnerability. I guess we will know more later today.

    • by Slayer ( 6656 )

      Just be patient! You will learn everything about this hole, when in a few months criminals fleece the next major corporation of terabytes of customer data from an unpatched internet facing server ...

      • This could also be a false flag scenario where we're going to hear about something nasty done by some unnamed NSA department, but they "did the right thing in the end" and reported an exploit to divert attention away from the fact that they've been using it for years.

        (yes that was one sentence)
  • . . . usually, Micro$oft would have the patch out by now on Patch Tuesday. . .

  • NSA found that so many of its trusted apps and devices were pw0ned they couldnâ(TM)t remediate them all so they pulled in Microsoft for help

"The pathology is to want control, not that you ever get it, because of course you never do." -- Gregory Bateson

Working...