Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government Microsoft Operating Systems Software United States Windows Technology

Microsoft Patches Major Windows 10 Vulnerability After NSA Warning (cnbc.com) 42

Microsoft on Tuesday patched an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. The vulnerability was spotted and reported by the NSA. CNBC reports: The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by The Washington Post. It is unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers such as Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

In a statement, Microsoft declined to confirm or offer further details. "We follow the principles of coordinated vulnerability disclosure as the industry best practice to protect our customers from reported security vulnerabilities. To prevent unnecessary risk to customers, security researchers and vendors do not discuss the details of reported vulnerabilities before an update is available." Jeff Jones, a senior director at Microsoft said in a statement Tuesday: "Customers who have already applied the update, or have automatic updates enabled, are already protected. As always we encourage customers to install all security updates as soon as possible." Microsoft told CNBC that it had not seen any exploitation of the flaw "in the wild," which means outside a lab testing environment.

This discussion has been archived. No new comments can be posted.

Microsoft Patches Major Windows 10 Vulnerability After NSA Warning

Comments Filter:
  • by Aighearach ( 97333 ) on Tuesday January 14, 2020 @04:29PM (#59621022)

    The NSA prefers to keep these in their pocket, but they also prefer government offices that have Windows boxes not to get p0wned by other countries.

    They must not feel that they can offer any mitigations at the network level. It is probably even worse than it sounds.

    • "Change your frelling NSAKEY already. It's over 20 years old!"

      Yours,
      The NSA
      • by dohzer ( 867770 )

        "Change your freaking NSAKEY already. It's been discovered by China, and we've discovered that it's been discovered by China!"

    • by DesScorp ( 410532 ) on Tuesday January 14, 2020 @05:00PM (#59621150) Journal

      The NSA prefers to keep these in their pocket, but they also prefer government offices that have Windows boxes not to get p0wned by other countries.

      They must not feel that they can offer any mitigations at the network level. It is probably even worse than it sounds.

      How much do you want to bet that NSA was looking for new ways of putting Trojans and Worms in systems like, say, Iranian Windows servers (as we did with their nuclear program servers) when they found this? If that's the case, then it means that the vulnerability was so bad, NSA judged the threat to western computer systems so severe that it outweighed the benefits of attacking systems in hostile countries.

      • It doesn't matter what sort of conspiracy theory you come up with. They're all correct. I mean, what other business does the NSA help out?

        Facebook.

        Ok, but any others?

      • I would hazard a guess that the NSA have known about this and have been using it for quite some time. What's prompted them to issue this is probably that other countries, probably China, have found out about this and have started using it.
      • Well, if you're going in for detailed and specific speculation involving stuff that is secret and conspiritorial, you can't even count out the possibility that there was no bug, and that the update simply contains a bug necessary to hack the Iranians.

        You can make up anything, it is all equally testable.

    • Looked in all the obvious spots and still no hard details in the CVE Mitre NVD places for hard details and the WHY bit. (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.. The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates. Question: What moron in the field of crypto allows incomplete - partial security validation! Are we going to repeat this for other modes of crypto validation? I suspect it was deliberate so corpo
      • Return to paid windows versions with advertising?

        Win10 seems to expose users to more reliability and dead machines than any version of windows, ever. I can't remember any version of windows that has a lower uptime and reliability index than Windows 10 -- with the main reason being that MS no longer allows users to control when to download and install updates and no longer documents what is in each update -- what it fixes or changes or what files are touched and no longer allows users to cherry pick updates

        • I hold off non-security updates for a year on my only win10 install, no reason to let them brick me so easily.
          • by lpq ( 583377 )

            I was under the impression that Home users (not using a business edition with a 5-license minimum & required annual renewal), weren't able to control what downloads they received, nor when they installed, with reboots being forced on MS's schedule.

            Can you also hold off on security updates to ensure they don't brick your system as well? Of note, microsoft has put non-security updates in things labeled as cumulative security updates in the past. Given their strong-arm behaviors since introducing Win10 a

            • I don't use Home, there is zero reason to do so. There is a slightly more than zero reason to use Win 10 Pro. It is shocking that OEM's even offer home since it must raise their support costs when MS bricks their customers computers.

              On Pro, you can hold off on security patches for up to 30 days - which can be taken away on a whim, they can totally ignore any user setting. I have never been bricked by a security update but it is certainly possible. I thought it had because I did drop it to zero days for t
              • by lpq ( 583377 )

                It sounds like you run Win 10 Pro? It used to be that Win 10 Pro was the same as the Business version, but I had the impression they moved Pro into the consumer category w/win10 and with their required time-expiring licensing of the business edition (as well as a 5 lic min).

                FWIW, someone on one of the opensuse lists had their linux boot disabled as windows installed some new boot loader. They had to boot from an optical disc to reinstall the boot loader.

                My Win7 installation has been 'limping' long before W

  • by misnohmer ( 1636461 ) on Tuesday January 14, 2020 @04:34PM (#59621048)

    If NSA has newer, better exploit, or simply an ability to force Microsoft to sign their payloads with a key trusted by Windows, it makes sense they would prefer the vulnerability patched to prevent malicious actors from hacking the assets they already have other ways to access.

    • Comment removed based on user account deletion
    • by ffkom ( 3519199 )
      Indeed, quite likely that past uses of NSA back-doors by other agencies have taught them to periodically exchange them for new ones while closing the old ones. Or it might have been a genuine bug that was already exploited by other agencies when they learned of it.
    • If NSA has newer, better exploit, or simply an ability to force Microsoft to sign their payloads with a key trusted by Windows, it makes sense they would prefer the vulnerability patched to prevent malicious actors from hacking the assets they already have other ways to access.

      NSA is themselves a heavy Windows 10 user.

    • No. Most exploits these days seem to rely on parameter tables and registries that will allow credible deniability. The loophole of un-parsed string execution and failed memory releases, and incomplete checking/ early exhaustion are others. Then there are payloads in drivers.. OpenBSD audits has shown the way forward. Now that security researchers are getting good, and fgpa logic testing is getting there, the cpu makers are being encouraged to add junk to enable deep stealth and executable's embedded in non-
  • by cusco ( 717999 ) <brian@bixby.gmail@com> on Tuesday January 14, 2020 @04:35PM (#59621056)

    Holy Carp, the NSA actually did something useful for once. Must have been by accident.

    • by Ungrounded Lightning ( 62228 ) on Tuesday January 14, 2020 @04:45PM (#59621098) Journal

      Holy Carp, the NSA actually did something useful for once. Must have been by accident.

      Their mandate is to BOTH:
        - crack foreign communications for US spying.
        - protect US communications - including the civilian sector - from foreign other bad-actor (e.g. crooks) spying.

      Unfortunately, they seem to give the first precedence - to the point of working to weaken civilian encryption, to make it easier for THEM to crack when it carries anything of interest to the spook community.

    • They probably found out that someone else discovered the exploit that they've been using for months or years

      • That'd be my guess. They've discovered one of the other state level actors has been using it, and have decided its time to close the hole.

  • by EETech1 ( 1179269 ) on Tuesday January 14, 2020 @04:43PM (#59621090)

    Is there a fix available for Windows 7, or is it a day late, and a dollar short?

    • If Microsoft issued this patch today then they must have been preparing it for a few days. So they would have known about it before support for Win 7 expired - but they don't want to push out a patch - that would just reduce the number who think that they really do need to move on from MS Win 7.

    • Is there a fix available for Windows 7, or is it a day late, and a dollar short?

      Is Windows 7 vulnerable?

    • Even though the component is in multiple version of Windows, the vulnerability only exists in Windows 10 / Server 2016+ variants according to the Microsoft CVE:

      https://microsoft.com/en-US/se... [microsoft.com]
      • This is the "new backdoor" that was created when the "old backdoor" was closed. This is how government spy agency backdoors in software work. When control is lost of the "old backdoor" a "new backdoor" is put in place until they lose control of that one too. Then the "new backdoor" will be closed with the claim that it is a whoopsie and an even newer backdoor deliberately written into the code.

        This process can be carried on forever. The interesting fact is that the time between the government having Mic

      • by AmiMoJo ( 196126 )

        No patch for Windows 8 either.

        Your link didn't work for me, this one does: https://portal.msrc.microsoft.... [microsoft.com]

  • by Impy the Impiuos Imp ( 442658 ) on Tuesday January 14, 2020 @06:08PM (#59621430) Journal

    The real question is how long did they know about it? Answer is "Until someone else figured it out and started using it."

  • I'm pretty sure they have just inserted a new backdoor that NSA can use!
  • Wait for Windows itself to offer the update. Asking Windows to update may automatically make you a 'beta tester' patsy, fine if you enjoy 'thrills'. Soomeone please correct me if I'm wrong.
  • And so here we have yet again (this is the sixth or seventh time, at least) that Microsoft has closed a backdoor into the Windows Operating System that they initially created at the behest of the US three-letter-agencies, because the "behester" lost control of access to the backdoor. Expect the release in a couple of weeks or months of the "behesters" toolset for exploiting their behested backdoor.

    This should serve as a warning about government mandated backdoors (whether paid, extorted, or arranged with a

  • NSA Marketing dept.: Hey guys, our brand is not doing too well recently, could you guys throw us a bone?

    NSA Skynet dept: Well, yeah - we don't usually do this, but we currently have so many exploits going we don't even bother using them all - we'll send you one of the less useful ones.

  • "The cooperation, however, is a departure from past interactions between the NSA and major software developers ... " - I do not think so, it's seems quite reasonable to assume they kept it for themselves as long as they could, once the method leaked out to US adversaries, thus threatening US installations using the mentioned system they decided it's better to patch it and/or they could've found another vulnerability.

Single tasking: Just Say No.

Working...