[conspire] NSA finds dangerous security flaw, doesn't hoard it

[Rick Moen]

Elselist, I wrote:

> Meanwhile, happy Patch Tuesday, all you folks who upgraded to Win10
> after hearing Windows 7 was ending security coverage, and a cheery
> 'hullo' from No Such Agency!
> 
> https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html
> https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
> https://kb.cert.org/vuls/id/849224/
> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
> 
>   Summary
> 
>   NSA has discovered a critical vulnerability (CVE-2020-0601) affecting
>   Microsoft Windows cryptographic functionality. The certificate
>   validation vulnerability allows an attacker to undermine how Windows
>   verifies cryptographic trust and can enable remote code execution. The
>   vulnerability affects Windows 10 and Windows Server 2016/2019 as well as
>   applications that rely on Windows for trust functionality. Exploitation
>   of the vulnerability allows attackers to defeat trusted network
>   connections and deliver executable code while appearing as legitimately
>   trusted entities. Examples where validation of trust may be impacted
>   include:
> 
>   o HTTPS connections
>   o Signed files and emails
>   o Signed executable code launched as user-mode processes
>   [...]
> 
> Short version:  ASAP, all Win10 (and similar Windows Server) machines
> should get security update 'Windows CryptoAPI Spoofing Vulnerability'.
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601


As detailed on the WashPo link, it's a notable policy shift that NSA did
the public-spirited thing with this discovery and, first, conveyed
details of this huge, critical flaw in Microsoft Windows CryptoAPI
(Crypt32.dll library), and then issued a public CVE.  

  The National Security Agency recently discovered a major flaw in
  Microsoft’s Windows operating system — one that could expose computer
  users to significant breaches, surveillance or disruption — and alerted
  the firm about the problem rather than turning it into a hacking weapon,
  officials announced Tuesday.

  The public disclosure represents a major shift in the NSA’s approach,
  choosing to put computer security ahead of building up its arsenal of
  hacking tools that allow the agency to spy on adversaries’ networks.

  “This is . . . a change in approach . . . by NSA of working to share,
  working to lean forward and then working to really share the data as
  part of building trust,” said Anne Neuberger, director of the NSA’s
  Cybersecurity Directorate, which was launched in October. “As soon as we
  learned about [the flaw], we turned it over to Microsoft.”

-- 
Cheers,
Rick Moen                       Linux for IA32:  Party like it's 2037!
rick at linuxmafia.com
McQ!  (4x80)