Wednesday, October 5

Microsoft Fixes NSA’s ‘Serious’ Windows Security Flaw: What To Do

Updated Jan 14 to add an official Microsoft description of the flaw. Previous updates added Microsoft comments, Twitter gossip, NSA comments, and CVE number. This story was originally published on January 13.

Microsoft today fixed a Windows security flaw reported by an independent security report brian krebs it had described yesterday (January 13) as “an extraordinarily serious security vulnerability.”

If your PC asks you to update your machine, and it will probably do so tomorrow morning, you should do so as soon as possible.

“The consequences of not patching the vulnerability are severe and widespread,” said the National security agency wrote in a notice. “Remote exploitation tools are likely to be readily and widely available. Rapid patch adoption is the only known mitigation at this time and should be the primary focus for all network owners. “

The flaw exists in all versions of Windows 10, in addition to versions of Windows Server 2016 and 2019. Windows 7, which receives its latest security updates today, and Windows 8.1 do not appear to be affected.

Now that we have seen Microsoft’s explanation of the vulnerability, it is indeed very serious, although Microsoft surprisingly classifies it as “Important” rather than “Critical”.

That would imply that the flaw cannot be exploited without user approval, intentionally or not, and that it cannot be exploited remotely, for example directly over the internet.

For what it’s worth, the NSA, which Microsoft credits with finding the flaw, considered it critical.

The flaw “is a serious vulnerability, because it can be exploited to undermine the trust of the public key infrastructure (PKI),” he wrote. neal ziring from the NSA Cybersecurity Directorate in an NSA blog post. “The vulnerability allows an attacker to craft PKI certificates to spoof trusted identities, such as individuals, websites, software companies, service providers, or others.”

See also  My Time At Portia Follow-up, My Time At Sandrock, Digs Into Early Access In May

“This vulnerability may not seem conspicuous, but it is a critical problem,” Ziring added. “Trust mechanisms are the foundation on which the Internet operates, and [this flaw] it allows a sophisticated threat actor to subvert those very foundations. “

Elliptical curve of the dead man

The flaw lies “in the way that Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates,” Microsoft wrote in its advisory.

We won’t bore you with the technical details of elliptic curve cryptography, but suffice it to say that “an attacker could exploit the vulnerability by using a forged code signing certificate to sign a malicious executable, making it appear that the file came from a reliable and legitimate source ”.

In other words, a hacker could make you download and install malware that pretends to be something benign, such as a software update, and Microsoft and even the best antivirus software would not notice it due to the forged digital signature.

“The user would have no way of knowing that the file is malicious, because the digital signature would appear to be from a trusted provider,” Microsoft added. “A successful exploit could also allow the attacker to carry out man-in-the-middle attacks and decrypt confidential information about users’ connections to affected software.”

That means hackers could intercept and tamper with secure Internet communications, including software updates and possibly even encrypted messages, depending on how the messaging software used Microsoft’s own encryption tools.

“It is not difficult to imagine how attackers could employ this tactic,” he wrote. dusty kids, a former Microsoft security analyst, in a blog post for Trend Micro’s Zero Day Initiative. “For example, ransomware or other spyware is much easier to install when it appears to have a valid certificate.”

See also  Tickets for Spider-Man: No Way Home Already Sold at Ridiculous Prices on eBay | LevelUp

Other vulnerabilities fixed by Microsoft in the January 2020 Patch Tuesday Updates They include various remote code execution errors in Excel, potential information leaks in the way Windows handles graphical components and log files, and even a glitch in the OneDrive for Android app.

‘Turn a new page’

Earlier today, Anne Neuberger, head of the NSA’s Cybersecurity Directorate, said in a conference call with reporters that the NSA had reported the flaw to Microsoft, according to Krebs. He added that Microsoft had yet to see active exploits of the vulnerability.

Krebs said that NSA personnel on the call did not say exactly when the NSA discovered the flaw.

The NSA may have used the flaw for some time in so-called “custom access operations,” although today two stories of the washington post Y Los New York Times pushed the angle, provided by anonymous sources, that the NSA had selflessly given Microsoft the information rather than exploiting it.

Krebs also said that he had heard that this disclosure to Microsoft was part of a new initiative within the agency called “Turn a New Leaf”, intended to show the defensive security side of the NSA.


Krebs’ early sources were right that the flaw lies in crypt32.dll, which handles core cryptographic and certification functions. He added that the US military and high-value private organizations had already received the patch under strict secrecy.

The flaw was assigned the Common Vulnerabilities and Exposures catalog number. CVE-2020-0601, echoing a tweet yesterday by Mac hacker Patricio Wardle. One keen-eyed Twitter user noted that that CVE was addressed today in a malware definition update pushed to Microsoft’s antivirus software packages, Windows Defender, and Microsoft Security Essentials.

See also  Details For The Pokémon Go Crossover Event With The Pokémon Trading Card Game

dormann, a vulnerability analyst at the Computer Emergency Response Team Coordination Center (CERT / CC), operated by Carnegie Mellon University in Pittsburgh at the behest of the Pentagon, posted a cryptic comment on Twitter yesterday.

I have the impression that perhaps people should pay close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more than others. I don’t know… just call it a hunch? ¯_ (ツ) _ / ¯January 13, 2020

see more

“I have the impression that maybe people should pay close attention to installing the Microsoft Patch Tuesday updates tomorrow in a timely manner. Even more than others, ”Dormann wrote. “I don’t know … just call it a hunch?”

However, the security researcher kevin beaumont, who has identified and even named some famous mistakes in their time, replied that there was no need to worry.

“Don’t panic over this one,” Beaumont said simply.

This Patch Tuesday is also noteworthy because it is (probably) the last time Windows 7 will receive a security update. The 10-year-old operating system officially reaches the end of its useful life tomorrow, although it will receive this extraordinarily serious patch, whatever it is.

If you’re still using Windows 7, here’s how to live with Windows 7 beyond tomorrow, and how to upgrade from Windows 7 to Windows 10 for free.

  • Protect your computer with this simple trick
  • How to buy antivirus software
  • How to avoid being scammed by tech support scammers

Leave a Reply

Your email address will not be published.