zanderthunder Posted January 14, 2020 Share Posted January 14, 2020 Microsoft is expected to release a major software update on Tuesday, January 14 that will fix an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows. This will be the first Patch Tuesday release of 2020 from Microsoft. January 14 is also the day that Microsoft will end support for Windows 7. As reported by KrebsOnSecurity, Microsoft has already rolled out a patch to fix the bug for the U.S. military and other important high-profile clients and customers. These clients have been asked to sign agreements preventing them from disclosing details of the flaw on or before January 14, 2020. The flaw is found in the crypt32.dll system file which handles "certificate and cryptographic messaging functions in the CryptoAPI." It is also used by the Microsoft CryptoAPI that is used for securing cryptography applications and encrypting/decrypting digital certificates. This component is used by key Microsoft apps like Internet Explorer and Edge to securely handle sensitive data. A flaw in the crypt32.dll can be used to spoof digital signatures which can be used by attackers to make malware appear a safe and genuine app on your PC. The report also states that the NSA's Director of Cybersecurity Anne Neuberger is scheduled to host a press conference on January 14 where she will "provide advanced notification of a current cybersecurity issue." Microsoft on its part has already issued a statement saying that it does not discuss any vulnerabilities before rolling out a fix for them. It also made it clear that it does not roll out production-ready updates before its regular Update Tuesday schedule. Source: Microsoft expected to patch a serious security bug affecting all Windows versions today (via Neowin) Link to comment Share on other sites More sharing options...
mp68terr Posted January 14, 2020 Share Posted January 14, 2020 Quote Anne Neuberger ... he ... Link to comment Share on other sites More sharing options...
steven36 Posted January 14, 2020 Share Posted January 14, 2020 News update : Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems. In a media call with the NSA that Bleeping Computer joined, the National Security Agency (NSA) stated that they discovered this vulnerability and immediately reported it to Redmond's security team. Both NSA and Microsoft say that the vulnerability hasn't yet been exploited in the wild, while the agency recommends in its own advisory to install the patches delivered with Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities." The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. - NSA Spoofing ECC certificate chains' validity "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," says Microsoft's security advisory. "An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft adds. After successfully exploiting unpatched systems, attackers can launch man-in-the-middle attacks, as well as decrypt confidential info from user connections to the impacted software. "By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system," CERT/CC vulnerability analyst Will Dormann explains. "This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature." Now that it's all public: 1) CVE-2020-0601 - Windows doesn't properly validate X.509 certificate chains. https://t.co/gaUWl7J15W 2) CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway (not to be confused with RDP proper) unauthenticated RCE.https://t.co/nGHTcCeUWV — Will Dormann (@wdormann) January 14, 2020 Microsoft's security update addresses the vulnerability tracked as CVE-2020-0601 and reported by the NSA by making sure that the Windows CryptoAPI completely validates ECC certificates. "This vulnerability is classed Important and we have not seen it used in active attacks," Microsoft Security Response Center' Principal Security Program Manager Mechele Gruhn added. "This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk." Microsoft encourages security researchers and organizations to report other potential vulnerabilities using the company's MSRC Researcher Portal. Mitigation, prevention, and detection options The NSA security advisory also provides mitigation measures for systems where immediately installing the patches Microsoft released as part of its January 2020 Patch Tuesday. "Network devices and endpoint logging features may prevent or detect some methods of exploitation," says the agency's advisory. "Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities. Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation." The NSA also recommends using capture analysis tools like Wireshark and tools such as OpenSSL and the Windows certutil utility to extract and analyze certificates to detect any malicious properties. Certutil can be used to examine an X509 certificate by running the following command: o certutil –asn OpenSSL can be used to examine an X509 certificate by running the following command: o openssl asn1parse –inform DER –in –i –dump or o openssl x509 –inform DER –in –text Certutil can be used to list registered elliptic curves and view their parameters by running the following commands: o certutil –displayEccCurve o certutil –displayEccCurve OpenSSL can be used to view standard curves enabled/compiled into OpenSSL by running the following commands: o openssl ecparam –list_curves o openssl ecparam –name –param_enc explicit –text "Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign," the NSA explains. However, "certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts." Source Link to comment Share on other sites More sharing options...
aum Posted January 14, 2020 Share Posted January 14, 2020 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers Summary NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include: o HTTPS connections o Signed files and emails o Signed executable code launched as user-mode processes The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. [...] Source (PDF document) Other sources: https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html https://www.wsj.com/articles/microsoft-releases-patch-to-severe-windows-flaw-detected-by-nsa-11579030780 https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/ https://msrc-blog.microsoft.com/2020/01/14/january-2020-security-updates-cve-2020-0601/ Link to comment Share on other sites More sharing options...
Karlston Posted January 14, 2020 Share Posted January 14, 2020 Similar topics merged. Link to comment Share on other sites More sharing options...
Edion Gecos Posted January 15, 2020 Share Posted January 15, 2020 In the first post by Edward Raja it says: "... an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows" But as it says in the post by steven36: "Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems." So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦 And what about the still supported Windows 8.1? No fix for that OS version? (It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠) Link to comment Share on other sites More sharing options...
Karlston Posted January 15, 2020 Share Posted January 15, 2020 15 minutes ago, Edion Gecos said: So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦 And what about the still supported Windows 8.1? No fix for that OS version? From Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains ... Quote Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions. Some older versions of Windows including 7 and 8.1 are not vulnerable, so no patches are needed for them. Link to comment Share on other sites More sharing options...
Ryrynz Posted January 15, 2020 Share Posted January 15, 2020 15 minutes ago, Karlston said: 7 and 8.1 are not vulnerable, so no patches are needed for them. Can't win em all.. Link to comment Share on other sites More sharing options...
Guest Posted January 15, 2020 Share Posted January 15, 2020 1 hour ago, Edion Gecos said: In the first post by Edward Raja it says: "... an "extraordinarily serious security vulnerability" affecting a core cryptographic component found in all versions of Windows" But as it says in the post by steven36: "Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems." So will Windows 7 not be patched anymore, although the fix could have been included in the last update for January 14, in order to scare "force" everyone into upgrading to the "saver" Windows 10? 😦 And what about the still supported Windows 8.1? No fix for that OS version? (It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠) So you are telling that Neowin reported the wrong info then? By the way, i think the moderators too used references from Neowin as well. Link to comment Share on other sites More sharing options...
Edion Gecos Posted January 15, 2020 Share Posted January 15, 2020 6 hours ago, Edward Raja said: So you are telling that Neowin reported the wrong info then? By the way, i think the moderators too used references from Neowin as well. I did not want to imply that Neowin reported something wrong (nor did I in any way, shape, or form want to imply that you provided a wrong story - I hope there is no misunderstanding here ). I simply read this thread with the various reports and thought that indeed all versions of Windows are affected, as reported, but Microsoft is only going to patch Windows 10 and up (thus leaving Win 7 and even the still supported win 8.1) vulnerable.... Which would have been a disgrace. But now it seems that good "old" Windows 7 (and 8.1) is actually safe from this form of attack - and contrary to the often scare-tactic claims, at times upgrading to Windows 10 can make you more vulnerable than staying with the, well, good old team... Link to comment Share on other sites More sharing options...
steven36 Posted January 15, 2020 Share Posted January 15, 2020 15 hours ago, Karlston said: Some older versions of Windows including 7 and 8.1 are not vulnerable, so no patches are needed for them. Windows 10 fail The day they retire Windows 7 they patch a 0day dropped to them by the NSA only reason NSA told them about it it serves as NSA image rehab. If they get that backdoor they want they want be no need to exploit them because the ISO image already will be . For all we know that is what that update is . It's closed source we don't wtf they be putting in there updates. Link to comment Share on other sites More sharing options...
steven36 Posted January 15, 2020 Share Posted January 15, 2020 The NSA moved away from useing EEC in 2015 the year they put it in Windows i think it was a NSA exploit most likely leaked to other state hackers Why do people keep using elliptic curve cryptography since it was compromised by the NSA? https://www.quora.com/Why-do-people-keep-using-elliptic-curve-cryptography-since-it-was-compromised-by-the-NSA Because Bruce Schneier said they been able break it even before was put into in Windows 10 . https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929 https://www.schneier.com/blog/archives/2015/10/why_is_the_nsa_.html blake • October 28, 2015 5:24 PM As a reader of Neal Stephenson's Cryptonomicon, I'm disappointed that section 5 skipped a possible motivation: The NSA can break ECC but have just recently been breached by a hostile and competent nation state who, now having the keys, can also break ECC. Now the NSA wants to discontinue ECC in a manner that doesn't admit they could break it all along. It does say NSA having broken ECC is unlikely, but part of the justification for that is the "why now?" question about the changing recommendation. Link to comment Share on other sites More sharing options...
Israeli_Eagle Posted January 16, 2020 Share Posted January 16, 2020 19 hours ago, Edion Gecos said: And what about the still supported Windows 8.1? No fix for that OS version? (It is a shame, by the way, that some software companies - looking at you, Adobe! - no longer support Windows 8.1 although it is still officially "alive" for some years! 😠) 11 hours ago, Edion Gecos said: But now it seems that good "old" Windows 7 (and 8.1) is actually safe from this form of attack - and contrary to the often scare-tactic claims, at times upgrading to Windows 10 can make you more vulnerable than staying with the, well, good old team... Microsoft ended mainstream support for Windows 8.1 on January 9, 2018, but extended support won't end until January 10, 2023. Sadly MS not really supports too much anymore when only 'extended', same as happened in the last years of Windows 7. Link to comment Share on other sites More sharing options...
steven36 Posted January 16, 2020 Share Posted January 16, 2020 15 hours ago, Israeli_Eagle said: Microsoft ended mainstream support for Windows 8.1 on January 9, 2018, but extended support won't end until January 10, 2023. Sadly MS not really supports too much anymore when only 'extended', same as happened in the last years of Windows 7. Microsoft really only has self support for free (documentation ) and paid support (real support) cost extra what they call support is just updates they not really been no mainstream support updates for Windows 8.1 since update 3 Nov 19, 2014 https://www.onmsft.com/news/microsoft-has-quietly-released-windows-81-update-3-november-update Extended Support has everything mainstream support had except for the ability to request to change product design and features. https://support.microsoft.com/en-us/help/14085 It does no good to be able request something when they stop putting new product design and features in Nov 19, 2014. That not a bad thing because new product design and features cause regression and make windows unstable . ------------------------------------------------------------------------------------------------------------------------------------------------------------------- greenhillmaniac 49 points 2 years ago* Mainstream support doesn't mean anything in Modern Microsoft dialect. There used to be a time when Mainstream support meant backporting features from newer Windows versions. Anyone remember platform updates? They gave Windows 7: * Updated Direct2D, Direct3D, DirectWrite, ... all backported from 8.0 * Better WinSxS cleanup * NVMe and TPM 2.0 support * Remote Desktop Protocol Updates, including 8.0 and 8.1 * Internet Explorer 11 (updated from version 8 Even Windows Vista got decent support from Microsoft: * DirectX 11 support and various Windows 7 API backports * Remote Desktop Protocol Update 7.0 * Windows Driver Framework update to version 1.11 (backported from 8.0, also to Windows 7) * Internet Explorer 9 (updated from version 7) What did Windows 8.1 get? New CPU support? DirectX 11.3? Windowed apps at least? (remember that update Microsoft was going to make for 8.1 that added a start menu and windowed apps?). Screw Microsoft and their support. Windows 8.1 runs just fine without them! Source : https://old.reddit.com/r/windows/comments/7pesrv/time_to_upgrade_windows_81_exits_mainstream/dsgupro/ Microsoft lied to everyone and said they was going put a start menu and windowed apps in windows 8.1 and instead released buggy Windows 10 TH1 6 months early . windows 10 updates even had the wrong drivers for my AMD PC they didn't get the right ones tell TH2 came out . So Windows 8.1 had no real mainstream support update since Nov 19, 2014 , Windows 10 each version only have 18 months support for consumers but they force new updates once or twice a year . As soon as they get the regressions out of one version they push the next version because consumers are just beta testers for business . Windows 8.1 mainstream support was DOA when they decided they was going to push a free upgrade of Windows 10 to older windows users . If it was up to Microsoft and they had not promised 10 years security updates Windows 8.1 they would killed that too. Now with Windows 10 unless your and Enterprise or steal Enterprise with a workaround 18 months support is all you get. The only exception so far is some chips they blacklisted from getting new versions of Windows 10 and they only get Windows 10 updates tell 2023 like Windows 8.1. https://www.nsaneforums.com/topic/362480-opinion-how-microsoft-could-improve-windows-by-being-more-like-apple/ I was going to buy a PC with windows 10 but since they gave it away free they was no need so when I bought a new PC in 2015 i bought a new Dell with Windows 8.1 free upgrade to Windows 10 on the box much cheaper . I'm glad i didn't buy Windows 10 after what a shit show it became because i got my Windows 8.1 key out the BIOS and got rid of Windows 10 almost 2 years ago no reason to use Windows 10 unless you have hardware that don't support Windows 8.1 . Still no reason for me to use Windows 10 because Linux support new hardware just like Windows 10 do. Windows 8.1 old fixed software versions of apps work for things that are broke in Windows 10 due to upgrades . Stuff that never been cracked for newer versions of Windows 10. Linus Torvalds said people dont use and OS they only use software on and OS . If Windows 10 dont work for the cracked software I always used on Windows like it still works on Windows 8.1 for me because of no one fixing new versions then it no longer serves its purpose for me . I could always use alternative software or pay for those apps but whats the point ? When if i want to use alternative software i can just use linux were the apps are free and dual boot linux and windows 8.1 were everything I want to use still work for free on Windows. what drove me away from windows 10 was new product design and features. They wont leave it alone it's not even like Windows Vista , Windows 7 or Windows 8.1 anymore or those old versions would still work. Getting new crack software has always been a problem . When they made Windows XP SP3 a bunch of cracks stop working that were made on Windows XP SP 1 and 2. When people started using x64 OS many apps was only cracked x86 , Now days they crack stuff only for x64 and have apps that only work on x64 . I got tired of it and switch to Linux and stop chasing crack on windows because it's a pipe dream. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.