Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

For the first time ever, the NSA publicly disclosed a vulnerability - U.S. Government Issues Critical Windows 10 ‘Update Now’ Alert

4 views
Skip to first unread message

Arlen Holder

unread,
Jan 18, 2020, 1:51:09 PM1/18/20
to
o U.S. Government Issues Critical Windows 10 'Update Now' Alert
<https://www.forbes.com/sites/daveywinder/2020/01/15/us-government-issues-critical-windows-10-update-now-alert/>
"Indeed, it was the NSA itself that discovered the vulnerability and
reported it to Microsoft. This is, Neuberger confirmed, the first time that
the NSA had publicly disclosed a vulnerability to a software vendor."

"Malicious software could masquerade as legitimate software that has been
authenticated and signed by a trusted source; malware detection could be
negatively impacted as a result. Furthermore, browsers that rely upon
Windows CryptoAPI could be fooled by a maliciously signed digital
certificate and so no warnings would be issued if a threat actor were to
then decrypt data or inject malicious data."

"Even before Microsoft itself disclosed the details of CVE-2020-0601, a
Windows CryptoAPI spoofing vulnerability, the NSA had confirmed the
importance of both the flaw and the fix. Anne Neuberger, director of the
NSA Cybersecurity Directorate, warned that the issue "makes trust
vulnerable."

CISA, via the National Cyber Awareness System, has published an alert
titled "Critical Vulnerabilities in Microsoft Windows Operating Systems."
<https://www.us-cert.gov/ncas/alerts/aa20-014a>

See also:
o New Windows 10 'Extraordinarily Serious' Security Warning
<https://www.forbes.com/sites/daveywinder/2020/01/14/windows-10-extraordinarily-serious-security-warning-for-900-million-users/>

Arlen Holder

unread,
Jan 18, 2020, 1:53:00 PM1/18/20
to
On Sat, 18 Jan 2020 18:51:06 -0000 (UTC), Arlen Holder wrote:

> browsers that rely upon
> Windows CryptoAPI could be fooled

Does anyone know which freeware browsers "rely upon Windows CryptoAPI"?

Arlen Holder

unread,
Jan 18, 2020, 10:32:06 PM1/18/20
to
On Sat, 18 Jan 2020 18:52:57 -0000 (UTC), Arlen Holder wrote:

> Does anyone know which freeware browsers "rely upon Windows CryptoAPI"?

Apparently the Chrome freeware browser already patched it.
<https://www.bleepingcomputer.com/news/security/how-malware-gains-trust-by-abusing-the-windows-cryptoapi-flaw/>
"To protect users, Chrome added protections that block users from
accessing sites using these spoofed certificates."

o Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw
<https://www.bleepingcomputer.com/news/security/google-chrome-adds-protection-for-nsas-windows-cryptoapi-flaw/>

Since it's _already_ in the wild, the NSA losing nothing by advertising it.
0 new messages