Microsoft Patches Major Windows 10 Vulnerability After NSA Warning

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

LOL, Golly gee whiz!

[Aighearach]

The NSA prefers to keep these in their pocket, but they also prefer government offices that have Windows boxes not to get p0wned by other countries.

They must not feel that they can offer any mitigations at the network level. It is probably even worse than it sounds.

Re: LOL, Golly gee whiz!

[Gay Boner Sex]

"Change your frelling NSAKEY already. It's over 20 years old!"

Yours,
The NSA

Re:

[dohzer]

"Change your freaking NSAKEY already. It's been discovered by China, and we've discovered that it's been discovered by China!"

Re: LOL, Golly gee whiz!

[bn-7bc]

Sigh, the NSAKEY had nothing todo with the National Security Agency, tho the exact meaning of the abbreviation escapees me atm, can we please bury this conspiracy now.

Re:LOL, Golly gee whiz!

[DesScorp]

The NSA prefers to keep these in their pocket, but they also prefer government offices that have Windows boxes not to get p0wned by other countries.

They must not feel that they can offer any mitigations at the network level. It is probably even worse than it sounds.

How much do you want to bet that NSA was looking for new ways of putting Trojans and Worms in systems like, say, Iranian Windows servers (as we did with their nuclear program servers) when they found this? If that's the case, then it means that the vulnerability was so bad, NSA judged the threat to western computer systems so severe that it outweighed the benefits of attacking systems in hostile countries.

Re:

[BringsApples]

It doesn't matter what sort of conspiracy theory you come up with. They're all correct. I mean, what other business does the NSA help out?

Facebook.

Ok, but any others?

Re:

[segedunum]

I would hazard a guess that the NSA have known about this and have been using it for quite some time. What's prompted them to issue this is probably that other countries, probably China, have found out about this and have started using it.

Re:

[Aighearach]

Well, if you're going in for detailed and specific speculation involving stuff that is secret and conspiritorial, you can't even count out the possibility that there was no bug, and that the update simply contains a bug necessary to hack the Iranians.

You can make up anything, it is all equally testable.

Treated like Idiots - what comes next

[Canberra1]

Looked in all the obvious spots and still no hard details in the CVE Mitre NVD places for hard details and the WHY bit. (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. Question: What moron in the field of crypto allows incomplete - partial security validation! Are we going to repeat this for other modes of crypto validation? I suspect it was deliberate so corpo

Re: kicked to curb: whatever the market will bear

[lpq]

Return to paid windows versions with advertising?

Win10 seems to expose users to more reliability and dead machines than any version of windows, ever. I can't remember any version of windows that has a lower uptime and reliability index than Windows 10 -- with the main reason being that MS no longer allows users to control when to download and install updates and no longer documents what is in each update -- what it fixes or changes or what files are touched and no longer allows users to cherry pick updates

Re:

[screwthempaa]

I hold off non-security updates for a year on my only win10 install, no reason to let them brick me so easily.

Re:

[lpq]

I was under the impression that Home users (not using a business edition with a 5-license minimum & required annual renewal), weren't able to control what downloads they received, nor when they installed, with reboots being forced on MS's schedule.

Can you also hold off on security updates to ensure they don't brick your system as well? Of note, microsoft has put non-security updates in things labeled as cumulative security updates in the past. Given their strong-arm behaviors since introducing Win10 a

Re:

[screwthempaa]

I don't use Home, there is zero reason to do so. There is a slightly more than zero reason to use Win 10 Pro. It is shocking that OEM's even offer home since it must raise their support costs when MS bricks their customers computers.

On Pro, you can hold off on security patches for up to 30 days - which can be taken away on a whim, they can totally ignore any user setting. I have never been bricked by a security update but it is certainly possible. I thought it had because I did drop it to zero days for t

Re:

[lpq]

It sounds like you run Win 10 Pro? It used to be that Win 10 Pro was the same as the Business version, but I had the impression they moved Pro into the consumer category w/win10 and with their required time-expiring licensing of the business edition (as well as a 5 lic min).

FWIW, someone on one of the opensuse lists had their linux boot disabled as windows installed some new boot loader. They had to boot from an optical disc to reinstall the boot loader.

My Win7 installation has been 'limping' long before W

Maybe not useful to NSA anymore?

[misnohmer]

If NSA has newer, better exploit, or simply an ability to force Microsoft to sign their payloads with a key trusted by Windows, it makes sense they would prefer the vulnerability patched to prevent malicious actors from hacking the assets they already have other ways to access.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ffkom]

Indeed, quite likely that past uses of NSA back-doors by other agencies have taught them to periodically exchange them for new ones while closing the old ones. Or it might have been a genuine bug that was already exploited by other agencies when they learned of it.

Re:

[WaffleMonster]

If NSA has newer, better exploit, or simply an ability to force Microsoft to sign their payloads with a key trusted by Windows, it makes sense they would prefer the vulnerability patched to prevent malicious actors from hacking the assets they already have other ways to access.

NSA is themselves a heavy Windows 10 user.

Re:

[Canberra1]

No. Most exploits these days seem to rely on parameter tables and registries that will allow credible deniability. The loophole of un-parsed string execution and failed memory releases, and incomplete checking/ early exhaustion are others. Then there are payloads in drivers.. OpenBSD audits has shown the way forward. Now that security researchers are getting good, and fgpa logic testing is getting there, the cpu makers are being encouraged to add junk to enable deep stealth and executable's embedded in non-

Will Wonders Never Cease

[cusco]

Holy Carp, the NSA actually did something useful for once. Must have been by accident.

Re:Will Wonders Never Cease

[Ungrounded Lightning]

Holy Carp, the NSA actually did something useful for once. Must have been by accident.

Their mandate is to BOTH:
  - crack foreign communications for US spying.
  - protect US communications - including the civilian sector - from foreign other bad-actor (e.g. crooks) spying.

Unfortunately, they seem to give the first precedence - to the point of working to weaken civilian encryption, to make it easier for THEM to crack when it carries anything of interest to the spook community.

Re:

[ShadowRangerRIT]

Aside from correctly identifying the (former) head of the NSA, literally nothing in your post is even remotely related to reality.

Re:

[maybe111]

They probably found out that someone else discovered the exploit that they've been using for months or years

Re:

[sg_oneill]

That'd be my guess. They've discovered one of the other state level actors has been using it, and have decided its time to close the hole.

Fix for Windows 7?

[EETech1]

Is there a fix available for Windows 7, or is it a day late, and a dollar short?

Re:

[Alain Williams]

If Microsoft issued this patch today then they must have been preparing it for a few days. So they would have known about it before support for Win 7 expired - but they don't want to push out a patch - that would just reduce the number who think that they really do need to move on from MS Win 7.

Re:

[WaffleMonster]

Is there a fix available for Windows 7, or is it a day late, and a dollar short?

Is Windows 7 vulnerable?

Re:

[EETech1]

The story says:
Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.

Re:

[The-Ixian]

Microsoft doesn't list anything before Windows 10 / Server 2016 on their security bulletin: https://portal.msrc.microsoft.... [microsoft.com]

However, it is unclear to me if that is due to Windows 7 dropping out of support.

The headlines make it seem like this vulnerability only affects Windows 10... but earlier notices mentioned all versions of Windows.... so I am confused too.

Re:Fix for Windows 7?

[bob8766]

The MSRC blog reaffirms that it's only Windows 10:

https://msrc-blog.microsoft.co... [microsoft.com]

Re:

[bob8766]

Even though the component is in multiple version of Windows, the vulnerability only exists in Windows 10 / Server 2016+ variants according to the Microsoft CVE:

https://microsoft.com/en-US/se... [microsoft.com]

Re:

[Retired ICS]

This is the "new backdoor" that was created when the "old backdoor" was closed. This is how government spy agency backdoors in software work. When control is lost of the "old backdoor" a "new backdoor" is put in place until they lose control of that one too. Then the "new backdoor" will be closed with the claim that it is a whoopsie and an even newer backdoor deliberately written into the code.

This process can be carried on forever. The interesting fact is that the time between the government having Mic

Re:

[AmiMoJo]

No patch for Windows 8 either.

Your link didn't work for me, this one does: https://portal.msrc.microsoft.... [microsoft.com]

Most likely

[Impy the Impiuos Imp]

The real question is how long did they know about it? Answer is "Until someone else figured it out and started using it."

Read: NSA ask Microsoft for "FIX". yeah right!

[JcMorin]

I'm pretty sure they have just inserted a new backdoor that NSA can use!

Careful

[beep54]

Wait for Windows itself to offer the update. Asking Windows to update may automatically make you a 'beta tester' patsy, fine if you enjoy 'thrills'. Soomeone please correct me if I'm wrong.

Deja Vue

[Retired ICS]

And so here we have yet again (this is the sixth or seventh time, at least) that Microsoft has closed a backdoor into the Windows Operating System that they initially created at the behest of the US three-letter-agencies, because the "behester" lost control of access to the backdoor. Expect the release in a couple of weeks or months of the "behesters" toolset for exploiting their behested backdoor.

This should serve as a warning about government mandated backdoors (whether paid, extorted, or arranged with a

If one were to put on a tinfoil hat and be cynical

[CptJeanLuc]

NSA Marketing dept.: Hey guys, our brand is not doing too well recently, could you guys throw us a bone?

NSA Skynet dept: Well, yeah - we don't usually do this, but we currently have so many exploits going we don't even bother using them all - we'll send you one of the less useful ones.

... departure ? no, just pragmatism

[Alwin Barni]

"The cooperation, however, is a departure from past interactions between the NSA and major software developers ... " - I do not think so, it's seems quite reasonable to assume they kept it for themselves as long as they could, once the method leaked out to US adversaries, thus threatening US installations using the mentioned system they decided it's better to patch it and/or they could've found another vulnerability.