Jump to content

Microsoft expected to patch a serious security bug affecting all Windows versions today


Recommended Posts

News update : Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA

 

133117066_157903004397229863.jpg

 

 

Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems.

 

In a media call with the NSA that Bleeping Computer joined, the National Security Agency (NSA) stated that they discovered this vulnerability and immediately reported it to Redmond's security team.

 

Both NSA and Microsoft say that the vulnerability hasn't yet been exploited in the wild, while the agency recommends in its own advisory to install the patches delivered with Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."

 

The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. - NSA

Spoofing ECC certificate chains' validity

"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," says Microsoft's security advisory. "An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

 

The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft adds.

 

After successfully exploiting unpatched systems, attackers can launch man-in-the-middle attacks, as well as decrypt confidential info from user connections to the impacted software.

 

"By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system," CERT/CC vulnerability analyst Will Dormann explains.

 

"This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature."

Now that it's all public:
1) CVE-2020-0601 - Windows doesn't properly validate X.509 certificate chains. https://t.co/gaUWl7J15W
2) CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway (not to be confused with RDP proper) unauthenticated RCE.https://t.co/nGHTcCeUWV

— Will Dormann (@wdormann) January 14, 2020

Microsoft's security update addresses the vulnerability tracked as CVE-2020-0601 and reported by the NSA by making sure that the Windows CryptoAPI completely validates ECC certificates.

 

"This vulnerability is classed Important and we have not seen it used in active attacks," Microsoft Security Response Center' Principal Security Program Manager Mechele Gruhn added.

 

"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk."

 

Microsoft encourages security researchers and organizations to report other potential vulnerabilities using the company's MSRC Researcher Portal.

Mitigation, prevention, and detection options

The NSA security advisory also provides mitigation measures for systems where immediately installing the patches Microsoft released as part of its January 2020 Patch Tuesday.

"Network devices and endpoint logging features may prevent or detect some methods of exploitation," says the agency's advisory.

 

"Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities.

 

 Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation."

 

The NSA also recommends using capture analysis tools like Wireshark and tools such as OpenSSL and the Windows certutil utility to extract and analyze certificates to detect any malicious properties.

Certutil can be used to examine an X509 certificate by running the following command:
o certutil –asn 

OpenSSL can be used to examine an X509 certificate by running the following command:
o openssl asn1parse –inform DER –in –i –dump or o openssl x509 –inform DER –in –text 

Certutil can be used to list registered elliptic curves and view their parameters by running the following commands:

o certutil –displayEccCurve 
o certutil –displayEccCurve 

OpenSSL can be used to view standard curves enabled/compiled into OpenSSL by running the following commands:
o openssl ecparam –list_curves 
o openssl ecparam –name –param_enc explicit –text

"Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign," the NSA explains. 

 

However, "certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts."

 

Source

Link to post
Share on other sites

Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers

 

Summary


NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:


o HTTPS connections
o Signed files and emails
o Signed executable code launched as user-mode processes


The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. [...]

 

Source (PDF document)

 

Other sources:

 

 

Edited by aum
  • Like 2
  • Thanks 1
Link to post
Share on other sites

Similar topics merged.

Link to post
Share on other sites

In the first post by Edward Raja it says:
"... an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows"

But as it says in the post by steven36:
"Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems."

 

So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦
And what about the still supported Windows 8.1? No fix for that OS version?

(It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠

Link to post
Share on other sites
15 minutes ago, Edion Gecos said:

So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦
And what about the still supported Windows 8.1? No fix for that OS version?

 

From Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains  ...

 

Quote

Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.

 

Some older versions of Windows including 7 and 8.1 are not vulnerable, so no patches are needed for them. :coolwink:

Link to post
Share on other sites
1 hour ago, Edion Gecos said:

In the first post by Edward Raja it says:
"... an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows"

But as it says in the post by steven36:
"Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems."

 

So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦
And what about the still supported Windows 8.1? No fix for that OS version?

(It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠

So you are telling that Neowin reported the wrong info then?

By the way, i think the moderators too used references from Neowin as well.

Link to post
Share on other sites
6 hours ago, Edward Raja said:

So you are telling that Neowin reported the wrong info then?

By the way, i think the moderators too used references from Neowin as well.

I did not want to imply that Neowin reported something wrong (nor did I in any way, shape, or form want to imply that you provided a wrong story - I hope there is no misunderstanding here :cheers:).

I simply read this thread with the various reports and thought that indeed all versions of Windows are affected, as reported, but Microsoft is only going to patch Windows 10 and up (thus leaving Win 7 and even the still supported win 8.1) vulnerable.... Which would have been a disgrace.

 

But now it seems that good "old" Windows 7 (and 8.1) is actually safe from this form of attack - and contrary to the often scare-tactic claims, at times upgrading to Windows 10 can make you more vulnerable than staying with the, well, good old team... :duh: 

Link to post
Share on other sites
15 hours ago, Karlston said:

Some older versions of Windows including 7 and 8.1 are not vulnerable, so no patches are needed for them.

Windows 10 fail The day they  retire Windows 7  they  patch a 0day  dropped to them by the NSA only reason NSA told them about it  it serves as NSA image rehab.  If they get that backdoor they want they want be no need to exploit them  because the ISO image already will be . For all we know  that is what that update is . It's closed source we don't wtf they be putting in there updates. :lmao:

 

 

 

Edited by steven36
Link to post
Share on other sites

The NSA  moved away  from useing EEC  in 2015 the year they put it in Windows  i think  it was a NSA exploit  most likely leaked to other state hackers

 

Why do people keep using elliptic curve cryptography since it was compromised by the NSA?

https://www.quora.com/Why-do-people-keep-using-elliptic-curve-cryptography-since-it-was-compromised-by-the-NSA

 

Because Bruce Schneier said they been able break it even before was put into in Windows 10 .

https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929

https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html

 

blakeOctober 28, 2015 5:24 PM

As a reader of Neal Stephenson's Cryptonomicon, I'm disappointed that section 5 skipped a possible motivation:

The NSA can break ECC but have just recently been breached by a hostile and competent nation state who, now having the keys, can also break ECC. Now the NSA wants to discontinue ECC in a manner that doesn't admit they could break it all along.

It does say NSA having broken ECC is unlikely, but part of the justification for that is the "why now?" question about the changing recommendation.

Edited by steven36
Link to post
Share on other sites
19 hours ago, Edion Gecos said:

And what about the still supported Windows 8.1? No fix for that OS version?

(It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠

 

11 hours ago, Edion Gecos said:

But now it seems that good "old" Windows 7 (and 8.1) is actually safe from this form of attack - and contrary to the often scare-tactic claims, at times upgrading to Windows 10 can make you more vulnerable than staying with the, well, good old team... :duh: 

 

Microsoft ended mainstream support for Windows 8.1 on January 9, 2018, but extended support won't end until January 10, 2023. Sadly MS not really supports too much anymore when only 'extended', same as happened in the last years of Windows 7.

 

Edited by Israeli_Eagle
  • Thanks 1
Link to post
Share on other sites
15 hours ago, Israeli_Eagle said:

Microsoft ended mainstream support for Windows 8.1 on January 9, 2018, but extended support won't end until January 10, 2023. Sadly MS not really supports too much anymore when only 'extended', same as happened in the last years of Windows 7.

Microsoft really  only has self support for free (documentation )  and paid support (real support)   cost extra  what they call support is just  updates  they  not really been no mainstream support updates  for Windows 8.1  since update 3 Nov 19, 2014

https://www.onmsft.com/news/microsoft-has-quietly-released-windows-81-update-3-november-update

 

Extended Support has everything  mainstream support had except for the ability to  request to change product design and features. 

https://support.microsoft.com/en-us/help/14085

 

It does no good to be able request something  when they stop putting  new product design and features in Nov 19, 2014.  That not a bad thing  because new product design and features cause  regression and make windows unstable .

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

greenhillmaniac 49 points 2 years ago* 

Mainstream support doesn't mean anything in Modern Microsoft dialect. There used to be a time when Mainstream support meant backporting features from newer Windows versions. Anyone remember platform updates?

 

They gave Windows 7:
* Updated Direct2D, Direct3D, DirectWrite, ... all backported from 8.0
* Better WinSxS cleanup
* NVMe and TPM 2.0 support
* Remote Desktop Protocol Updates, including 8.0 and 8.1
* Internet Explorer 11 (updated from version 8

 

Even Windows Vista got decent support from Microsoft:
* DirectX 11 support and various Windows 7 API backports
* Remote Desktop Protocol Update 7.0
* Windows Driver Framework update to version 1.11 (backported from 8.0, also to Windows 7)
* Internet Explorer 9 (updated from version 7)


What did Windows 8.1 get? New CPU support? DirectX 11.3? Windowed apps at least? (remember that update Microsoft was going to make for 8.1 that added a start menu and windowed apps?).


Screw Microsoft and their support. Windows 8.1 runs just fine without them!

 

Source : https://old.reddit.com/r/windows/comments/7pesrv/time_to_upgrade_windows_81_exits_mainstream/dsgupro/

 

Microsoft  lied to everyone and said they was going put a  start menu and windowed apps in windows 8.1 and instead released buggy Windows 10 TH1 6 months early . windows 10 updates even had the wrong drivers for my AMD  PC  they didn't  get the right ones tell TH2 came out . So Windows 8.1 had no real mainstream support update since  Nov 19, 2014 , Windows 10 each version only have 18 months support for consumers but  they force new updates once or twice a year . As soon as they get the regressions out of one version they push  the next version because consumers are just beta testers for business  .

 

Windows 8.1 mainstream support was DOA  when they decided  they was going to push a free upgrade of Windows 10 to older  windows users .  If it was up to Microsoft  and they had not promised 10 years security updates Windows 8.1 they would killed that too.  Now  with Windows 10 unless  your and Enterprise or steal Enterprise  with a workaround  18 months support is all you get. The only exception so far is some chips they blacklisted from getting new versions of Windows 10 and they only  get Windows 10 updates tell 2023  like Windows 8.1.

https://www.nsaneforums.com/topic/362480-opinion-how-microsoft-could-improve-windows-by-being-more-like-apple/

 

I was going  to buy  a PC with windows 10  but since they gave it away free they was no need so when I  bought a new PC  in 2015  i bought a new Dell  with Windows 8.1 free upgrade to Windows 10 on the box much cheaper  . I'm glad i didn't buy Windows 10 after what a shit show it became because  i got my Windows 8.1 key out the BIOS and got rid of Windows 10 almost 2 years ago no reason to use Windows 10 unless you have hardware  that don't support Windows 8.1 . Still no reason for me to use Windows 10  because Linux support new hardware just like Windows 10 do.

 

Windows 8.1 old fixed software  versions of apps work for things  that  are broke in Windows 10 due to upgrades . Stuff that never been cracked for newer versions of Windows 10.

 

Linus Torvalds said people dont use and OS they only use software on and OS . If Windows 10 dont work for the cracked software I always used on Windows like it still works on Windows 8.1 for me because  of no one fixing new versions then it no longer serves its purpose for me .   I could always use alternative software or pay for those apps but whats the point ? When if i want  to use  alternative software i can just use linux were the apps are  free  and dual boot linux and windows 8.1 were everything I want to use still work for free on Windows.  what drove me away from windows 10 was new product design and features. They wont leave it alone  it's not even like Windows Vista , Windows 7 or Windows 8.1 anymore or those old versions would still work.

 

Getting new crack software  has always been  a problem .  When they made Windows XP SP3  a bunch of cracks stop working that were made on Windows XP SP 1 and 2. When people started using x64 OS  many apps was only cracked x86 , Now days they crack stuff only for x64 and have apps that only work on x64 . I got tired of it and switch to Linux and stop chasing crack on windows because it's a pipe dream.    :lol:

Edited by steven36
  • Like 2
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...