Proof-of-Concept Exploits Published for the Microsoft-NSA Crypto Bug

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2. Fake signatures for files and emails. 3. Fake signed-executable code launched inside Windows.

Re:

[OffTheLip]

Not as well as deleting *.dll recursively.

Re:

[higuita]

and then install linux or *bsd !

Well, that was easy

[ZoomieDood]

https://www.ttec.com/sites/def... [ttec.com]

Article on cryptographic elliptic curve cheating

[nickwinlund77]

https://medium.com/zengo/win10... [medium.com]

Re:

[bill_mcgonigle]

This is literally the only explanation I've seen in all the coverage on this bug. Thanks.

Interesting timing

[dunkindave]

Isn't it convenient that just as Windows 7 support ends, a major flaw is announced that impacts it, but starting now Microsoft only publishes fixes for Windows 10, thereby putting people in the position of being forced to upgrade, or else live with an OS that will be actively exploited? Yes, awfully convenient.

Re:

[ArchieBunker]

It was patched on Windows 7.

Re:

[laktech]

Am I looking at the wrong CVE? The link suggests Windows 7 isn't affected. https://portal.msrc.microsoft.... [microsoft.com]

Re:

[MrLogic17]

"It was not a regression, and versions of Windows which don’t support ECC parameters configuring ECC curves (Server 2008, Windows 7, Windows 8.1 and servers) were not affected."

via: https://portal.msrc.microsoft.... [microsoft.com]

Grammar is a bit mangled, looks like it was typed in a hurry...

Re:

[Miser]

Agreed. Windows 7 isn't on the list.

Is Windows 7 affected? If so, is there a patch?

Re:

[twocows]

There are two different bugs. One affects Windows 10 only and was patched on Windows 10. The other affects all recent versions of Windows including 7 and was patched on all versions of Windows since and including 7.

Re:Interesting timing

[Fallen Kell]

From everything I have seen, Windows 7 is not affected. In all the CVE releases, the only OS's listed as affected by the vulnerability are Win 10, Server 2016 and 2019. That is it. It doesn't affect Windows 8 (which is still being patched, and as had no patch release for this since it wasn't affected), and it doesn't affect Windows 7.

Re:

[Shimbo]

Isn't it convenient that just as Windows 7 support ends, a major flaw is announced that impacts it, but starting now Microsoft only publishes fixes for Windows 10, thereby putting people in the position of being forced to upgrade, or else live with an OS that will be actively exploited? Yes, awfully convenient.

Doubly no, because the January patches included Windows 7 and this patch doesn't apply to it anyway. Unless there is an out-of-band patch, you really have to start worrying about Windows 7 next patch Tuesday.

Re:

[CaptAubrey]

No, you needed to start worrying about Windows 7 yesterday (Wednesday). Anything that drops from yesterday onward that affects Windows 7 means you are SOL and on your own.

Re:

[WaffleMonster]

Isn't it convenient that just as Windows 7 support ends, a major flaw is announced that impacts it,

This bug never existed on Windows 7.

Re:

[bill_mcgonigle]

It's better to spend time verifying claims before making accusations than it is to be the first to express outrage.

Start sending them to jail

[AndyKron]

Who's going to jail for screwing up the implementation of the Elliptic Curve Cryptography?

Re:

[The_mad_linguist]

maybe increase the pay for important jobs?

Rookie mistake

[OneHundredAndTen]

Whoever was in charge of implementing the ECC code at MS made a rookie mistake. Well, this is MS we are talking about.

2020 is starting off with a bang

[CaptAubrey]

Server and desktop diversity is a good thing. Putting all your eggs in one basket is inviting disaster. We will see how bad this gets over the next 30-60 days. Remember the Apache Struts vulnerability that got Equifax wacked? More recently there are still large organizations getting pwned by not patching the Pulse Secure VPN from April 2019. And the Citrix vulnerability CVE 2019-19781 is being actively exploited as we speak. Management doesn't pay attention or care till the bottom line is affecte

Re:

[CaptAubrey]

Bill Gates announced the "Trustworthy Coding initiative" back when, 2002? Not much has changed in 18 years, except that has grown older and richer. I wonder what he would have done differently if he got the infamous "do-over" when it comes to code security?