Author Topic: NSA discovers huge security flaw in Microsoft’s Windows 10  (Read 952 times)

0 Members and 1 Guest are viewing this topic.

Offline Black Phoenix

  • Frequent Contributor
  • **
  • Posts: 526
  • Country: hk
NSA discovers huge security flaw in Microsoft’s Windows 10
« on: January 16, 2020, 04:10:41 am »
https://nypost.com/2020/01/15/nsa-discovers-huge-security-flaw-in-microsofts-windows-10/

Quote
The National Security Agency has discovered a major security flaw in Microsoft’s Windows 10 operating system that could let hackers intercept seemingly secure communications.

But rather than exploit the flaw for its own intelligence needs, the NSA tipped off Microsoft so that it can fix the system for everyone.

Quote
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

The agency shared the vulnerability with Microsoft “quickly and responsibly,” Neal Ziring, technical director of the NSA’s cybersecurity directorate, said in a blog post on Tuesday.

Yes I totally believe in you NSA...
« Last Edit: January 16, 2020, 04:20:52 am by Black Phoenix »
 

Online ataradov

  • Super Contributor
  • ***
  • Posts: 6624
  • Country: us
    • Personal site
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #1 on: January 16, 2020, 04:32:48 am »
NSA was using this for ages, and then they probably realized that some other nation is aware of the issue too, so time to report.
Alex
 
The following users thanked this post: BravoV, GeorgeOfTheJungle, bd139

Offline Stray Electron

  • Frequent Contributor
  • **
  • Posts: 972
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #2 on: January 16, 2020, 04:53:15 am »
  I don't know who I trust less, MicroSoft or the NSA.
 
The following users thanked this post: IdahoMan, Electro Detective

Offline Black Phoenix

  • Frequent Contributor
  • **
  • Posts: 526
  • Country: hk
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #3 on: January 16, 2020, 05:55:07 am »
NSA was using this for ages, and then they probably realized that some other nation is aware of the issue too, so time to report.

Or being someone in the Conspiracy theory field, they found a way of using it even while patch, so let's give some sense of security while we keep doing what we do...
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 2920
  • Country: si
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #4 on: January 16, 2020, 07:18:52 am »
Quote
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” the company said.

If successfully exploited, attackers would have been able to conduct “man-in-the-middle attacks” and decrypt confidential information they intercept on user connections, the company said.

This does not make any sense. So the exploit is to do with being able to code sign an executable without having the appropriate keys. Not too worried about that since how many people look at the thing anyway.

But how do you go from that to "man in the middle attacks" and "decrypting confidential information"? Are they just making things up or is this another case of the press having no idea what they are talking about and just throwing technical sounding words.
 
The following users thanked this post: Electro Detective

Offline Electro Detective

  • Super Contributor
  • ***
  • Posts: 2713
  • Country: au
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #5 on: January 16, 2020, 08:53:47 am »

another publicity stunt..??   :=\

but wait, aren't both groups Linux users?  :-//

 ;D

 

Online bd139

  • Super Contributor
  • ***
  • Posts: 15592
  • Country: gb
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #6 on: January 16, 2020, 09:40:30 am »
This does not make any sense. So the exploit is to do with being able to code sign an executable without having the appropriate keys. Not too worried about that since how many people look at the thing anyway.

But how do you go from that to "man in the middle attacks" and "decrypting confidential information"? Are they just making things up or is this another case of the press having no idea what they are talking about and just throwing technical sounding words.

No it is exactly right. It's the crypto library that is flawed. This is used for both code signing and TLS negotiation. Thus you can forge a certificate and leverage an existing trust relationship easily. That can be used to set up an insecure TLS connection to MITM and obtain data or generated a code signing certificate that bypasses prompts.

With these things you have to ignore the dumbed down press and go straight to the source:

https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

From my understanding what they discovered was elliptic curve parameters could be specified in the certificate which were not validated against standard curves. That allows intentionally weak parameters to be injected into the certificate to decrease certificate generation effort to something reasonable (seconds instead of billions of years).

And yes NSA have probably been using this for months. It probably only got released after it was no longer useful against their adversaries or they have another set of exploits lined up.
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 2920
  • Country: si
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #7 on: January 16, 2020, 12:13:56 pm »
Ah yeah makes more sense now.

But yeah im pretty sure the NSA has been exploiting this for a while before revealing it. Released it probably because they noticed someone else using it.

Also the fact that this cypto library vulnerability suddenly appeared in Win 10 and does not affect older ones makes it seam like it might have been introduced on purpose.

Do web browsers also use this library or bring there own?
 

Online bd139

  • Super Contributor
  • ***
  • Posts: 15592
  • Country: gb
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #8 on: January 16, 2020, 12:32:06 pm »
Chrome and firefox bring their own. IE and Edge reuse Windows CryptoAPI. I'm not sure what the new Edge version (based on Chrome) uses
 

Offline Berni

  • Super Contributor
  • ***
  • Posts: 2920
  • Country: si
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #9 on: January 16, 2020, 12:39:54 pm »
Chrome and firefox bring their own. IE and Edge reuse Windows CryptoAPI. I'm not sure what the new Edge version (based on Chrome) uses

Ah yes that is a BIG issue then. I thought that crypto library was mostly used to encrypt the win 10 telemetry crap and other built in things.
 

Offline tombi

  • Regular Contributor
  • *
  • Posts: 161
  • Country: au
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #10 on: January 16, 2020, 03:09:52 pm »
Kind-of - I think it is basically the Vaudenay attack.
https://lasec.epfl.ch/pub/lasec/doc/Vau04b.pdf

I think you can include curve parameters in the signature algorithm identifier. It stupidly doesn't check these match the curve specified in the issuer cert's public key. It happily verifies the signature using the specified parameters and if it checks out the code is happy. It should be checking they match the curve specified in the algorithm identifier of the issuer's public key.

The thing is you can find a set of parameters that matches the issuer public key and the signature without knowing the issuer's private key. Hence you can make your own certificate that will checkout as signed by something trustworthy.

Forgive me if I have mangled this a bit but this is my understanding at the moment.
 

Online GeorgeOfTheJungle

  • Super Contributor
  • ***
  • Posts: 2698
  • Country: tr
Re: NSA discovers huge security flaw in Microsoft’s Windows 10
« Reply #11 on: January 16, 2020, 03:19:42 pm »
NSA was using this for ages, and then they probably realized that some other nation is aware of the issue too, so time to report.

Vladimir Putin!

"Microsoft Wins $10 Billion Department of Defense Cloud Contract"
https://nypost.com/2019/10/28/pentagon-hands-microsoft-10b-war-cloud-deal-snubs-amazon/

No worries!
Dave, Dave... Where's my signature gone?
 

Online bd139

  • Super Contributor
  • ***
  • Posts: 15592
  • Country: gb
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf