CRITICAL Windows update today

Discussion in 'The Watering Hole' started by Winston, Jan 14, 2020.

Help Support The Rocketry Forum by donating:

  1. Jan 14, 2020 #1

    Winston

    Winston

    Winston

    Lorenzo von Matterhorn

    Joined:
    Jan 31, 2009
    Messages:
    7,177
    Likes Received:
    453
    Gender:
    Male
    Supposedly the first bug EVER reported by the NSA, an incredibly serious one that's been around for a long time. [Cynic ON] They must have new exploit methods and no longer need it OR the exploit has been compromised by having been independently discovered by bad guys or somehow transferred to them via a security leak. And, cough, cough, are we sure its origin was actually an unintentional bug? SURE would have been incredibly useful. [Cynic OFF]

    13 Jan 20
    Cryptic Rumblings Ahead of First 2020 Patch Tuesday

    https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

    Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

    According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

    A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

    Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

    This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).


    --------

    Bug confirmed and Microsoft patch issued:

    CVE-2020-0601 | Windows CryptoAPI Spoofing Vulnerability
    Security Vulnerability
    Published: 01/14/2020 | Last Updated : 01/14/2020
    MITRE CVE-2020-0601

    A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

    An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

    A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

    The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

    --------

    Patch Critical Cryptographic Vulnerability in Microsoft Windows
    Clients and Servers

    https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

    Summary

    NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

    The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

    o HTTPS connections
    o Signed files and emails
    o Signed executable code launched as user-mode processes

    The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

    --------

    Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains
    Vulnerability Note VU#849224
    Original Release Date: 2020-01-14

    https://kb.cert.org/vuls/id/849224/
     
    Banzai88 likes this.
  2. Jan 15, 2020 #2

    Bill S

    Bill S

    Bill S

    Well-Known Member

    Joined:
    Aug 6, 2019
    Messages:
    169
    Likes Received:
    21
    Gender:
    Male
    Yikes!
     
  3. Jan 15, 2020 #3

    Winston

    Winston

    Winston

    Lorenzo von Matterhorn

    Joined:
    Jan 31, 2009
    Messages:
    7,177
    Likes Received:
    453
    Gender:
    Male
    Once again, reading between the lines.

    Just as we have the sudden unidentified drone hysteria at the same instant in time that the FAA proposes a draconian, incredibly unpopular rule that all RC aircraft down to 250 grams be equipped with transponders, just as we had the elephant walk of 52 F-35s at Hill AFB, UT on Jan. 6 after President Trump tweeted there were 52 targets in Iran on the target list coupled with previous widespread reports implying that Iran's S-300 SAM system was useless against F-35s, the US having successfully discouraged the Russians from selling Iran the S-400 system which just now is being offered to them again by the Russians, we have this very interesting timing for the NSA to suddenly reveal such an incredibly powerful "accidental bug" exploit which meant that Windows had been completely wide open for exploitation previously.

    14 JAN 20
    Patch Tuesday, January 2020 Edition

    https://krebsonsecurity.com/2020/01/patch-tuesday-january-2020-edition/

    Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency.

    Was the "suddenly, just now discovered" bug used here:

    OCTOBER 15, 2019
    Exclusive: U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials

    https://www.reuters.com/article/us-...e-of-saudi-oil-attack-officials-idUSKBN1WV0EK

    exposing it and making it likely to be used here:

    Threat of Cyberattack by Iran Still Critical, Experts Say
    Despite cooling tensions, nation-state-level attacks could occur, according to cybersecurity specialists
    Jan. 9, 2020
    https://www.wsj.com/articles/threat-of-cyberattack-by-iran-still-critical-experts-say-11578621927

    and now, weighing the value of their exploit versus the huge potential damage if enemies used it, the NSA decided to reveal one of their tools?

    Could be...
     
  4. Jan 16, 2020 #4

    Bill S

    Bill S

    Bill S

    Well-Known Member

    Joined:
    Aug 6, 2019
    Messages:
    169
    Likes Received:
    21
    Gender:
    Male
    Well I went ahead and tried to update my laptop from Win 7 to 10, and guess what? It couldn't update, due to the dreaded "could not update system reserved partition" error, which looks to be a real difficult one to solve. :( Thank you so very much Microsoft.
     
  5. Jan 16, 2020 #5

    Peartree

    Peartree

    Peartree

    Cyborg Rocketeer Staff Member Administrator Global Mod

    Joined:
    Jan 6, 2009
    Messages:
    4,456
    Likes Received:
    191
    Location:
    Alliance, Ohio
    Well, I downloaded what will probably be my last Windows 7 update yesterday and my computer spent a sizable chunk of my morning trying to restart. Oh well, I got a few things cleaned off of my messy desk while I waited.
     
  6. Jan 22, 2020 at 5:59 AM #6

    Tobor

    Tobor

    Tobor

    Get your peanuts.... TRF Supporter

    Joined:
    Oct 8, 2016
    Messages:
    1,440
    Likes Received:
    259
    I think they know that I think they are watching me.....
     
  7. Jan 22, 2020 at 1:40 PM #7

    Zeus-cat

    Zeus-cat

    Zeus-cat

    Well-Known Member

    Joined:
    Mar 14, 2009
    Messages:
    4,187
    Likes Received:
    391
    Just because you are paranoid doesn't mean they aren't watching you.
     

Share This Page

Group Builder