Products > Security

NSA discovers huge security flaw in Microsoft’s Windows 10

(1/3) > >>

Black Phoenix:
https://nypost.com/2020/01/15/nsa-discovers-huge-security-flaw-in-microsofts-windows-10/


--- Quote ---The National Security Agency has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.

But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.
--- End quote ---


--- Quote ---Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

The agency shared the vulnerability with Microsoft “quickly and responsibly,” Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post on Tuesday.
--- End quote ---

Yes I totally believe in you NSA...

ataradov:
NSA was using this for ages, and then they probably realized that some other nation is aware of the issue too, so time to report.

Stray Electron:
  I don't know who I trust less, MicroSoft or the NSA.

Black Phoenix:

--- Quote from: ataradov on January 16, 2020, 04:32:48 am ---NSA was using this for ages, and then they probably realized that some other nation is aware of the issue too, so time to report.

--- End quote ---

Or being someone in the Conspiracy theory field, they found a way of using it even while patch, so let's give some sense of security while we keep doing what we do...

Berni:

--- Quote ---Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.

If successfully exploited, attackers would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information they intercept on user connections, the company said.

--- End quote ---

This does not make any sense. So the exploit is to do with being able to code sign an executable without having the appropriate keys. Not too worried about that since how many people look at the thing anyway.

But how do you go from that to "man in the middle attacks" and "decrypting confidential information"? Are they just making things up or is this another case of the press having no idea what they are talking about and just throwing technical sounding words.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version