NSA Releases Knowledge of Extreme Vulnerabilty in Windows 10

Just an FYI for those who use Windows 10 and haven't already received and applied the critical update released. You may want to check and see if you need to restart your system. The update that fixes the vulnerability has been pushed out automatically already.

Critical Windows 10 vulnerability

Ha ha ha. I jest, I jest. You just got Rick-rolled. Nah, but seriously...


Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet. Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heartthrob Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, are also likely to fall to the same trick. (There's no indication Firefox is affected.)

Rashid's simulated attack exploits CVE-2020-0601, the critical vulnerability that Microsoft patched on Tuesday after receiving a private tipoff from the NSA. As Ars reported, the flaw can completely break certificate validation for websites, software updates, VPNs, and other security-critical computer uses. It affects Windows 10 systems, including server versions Windows Server 2016 and Windows Server 2019. Other versions of Windows are unaffected.

“Fairly terrifying” Other researchers shared the NSA's sense of urgency. "What Saleem just demonstrated is: with [a short] script you can generate a cert for any website, and it's fully trusted on IE and Edge with just the default settings for Windows," Kenn White, a researcher and security principal at MongoDB, said. That's fairly horrifying. It affects VPN gateways, VoIP, basically anything that uses network communications." (I spoke with White before Rashid had demonstrated the attack against Chrome.)

Basically this exploit can spoof any website you want to go to. You may think you're on AboveTopSecret.com for example and really be on a malicious website. It is interesting that the NSA has released knowledge of this vulnerability. Considered one of the most critical and serious ever to be found that exploits the Windows 10 OS.

Definitely recommend checking for updates and getting it patched if you're running on the OS ASAP. See article linked above for full details.

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable. The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

a reply to: SimpleIdea

So I ran a Win10 update this morning (even before reading this), but how do I know the update actually came from Microsoft.com...in light of this vulnerability???

Boy, isn't that spooky!!!

originally posted by: Flyingclaydisk
a reply to: SimpleIdea

So I ran a Win10 update this morning (even before reading this), but how do I know the update actually came from Microsoft.com...in light of this vulnerability???

Boy, isn't that spooky!!!

Yeah, Windows Update isn't vulnerable to this exploit:

Twitter Comment on Windows Update Vulnerability

a reply to: SimpleIdea
There's a bit of sensationalizing going on with this because the NSA reported it instead of staying mum and using it to their advantage. All operating systems and browsers have vulnerabilities. It's the nature of the beast, so to speak. This one, like some others in the past, was just a bit too vulnerable and needed securing.

Internet Explorer needs to be removed from Windows, but for a few reasons Microsoft hasn't done it yet. Edge users should be aware that Microsoft will soon be pushing out a major update that changes it to a Chromium based browser. A smart move on Microsoft's part.

Firefox is my personal choice for a browser, although I have several installed.

5 minutes ago got the big, red demand from IT that your personal devices are not allowed on the base if they have not been updated with this patch. Even if you don't (illegally) engage in any contact any govt network.

a reply to: SimpleIdea

How can they make such a claim!

Micro-SHAFT strikes again!

hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

What that should state, is that:

"The NSA created a backdoor into Windows since they realized they didn't have one, so please update immediately so that the data collection can continue."

Seriously. The NSA just *"Happened"* to find this security flaw out of the kindness of their hearts?

Gimme a break. If you believe this, I have a bridge to sell you.

originally posted by: dothedew
hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

What that should state, is that:

"The NSA created a backdoor into Windows since they realized they didn't have one, so please update immediately so that the data collection can continue."

Seriously. The NSA just *"Happened"* to find this security flaw out of the kindness of their hearts?

Gimme a break. If you believe this, I have a bridge to sell you.

I'm pretty sure everything reported is accurate. The NSA found the flaw and reported it.

Now everything else is all conjecture. Sure they might have known about it for years and were exploiting it, and then someone else found out about it and so they shut it down. Who knows.

a reply to: Klassified

I don't use Edge or IE. And don't have Chrome installed either. I use Firefox and Opera for my web browsing. Opera has a built-in VPN which is very handy. And both browsers have a very nice array of extensions that I use to try and keep them secure. There are some pretty pernicious cookies out their though.

I would say just to keep my computer clean every time Windows 10 comes out with a major update I download it to a USB and do a fresh install of the OS. And just reinstall any apps I may be using.

From a german website, translated with google.translate.
Intense info:


"Not all the details of the Windows cryptocalypse are still on the table, but there is an analysis by Thomas Ptacek, who is a bit familiar with the area. And there is this collection of materials. But Ptacek's analysis is the only one I've seen.

There are several interesting aspects to the whole thing.

First, the code looked clean. That was a logic bug. The code looked right. You really had to understand the matter to understand that there was a problem. Kudos to the NSA that they saw that at all.

Second, it was said initially that the bug would go back 20 years or so. That is probably not true. The bow was installed in 2015. I find that very interesting again. Because we are talking about ECDSA. At that time, ECDSA was shot because it is so fragile and it is so easy to produce a total loss. The Playstation had been hacked over its DSA. djb had already published its counter-proposal Ed25519 with an explicit reference to the fragility of ECDSA and the NIST curves. And under these circumstances they touched the code again and made it worse. You have to know that crypto code is the least volatile code. Everyone is aware of how critical each bit and CPU cycle is, and nobody wants to touch anything. This is also the case with Microsoft. So I didn't want to believe all of this at first. However, there is a reason to touch the crypto code, namely if the spec changes, or you have to implement an aspect of the spec that you did not previously support.

In this case it was the feature that the curve parameters are transferred in the handshake, and not just the few hard-burned-in NIST curves can be used.

So now comes the really embarrassing part. Here is the spec. It says explicitly:

implicitCurve and specifiedCurve MUST NOT be used in PKIX

and

specifiedCurve, which is of type SpecifiedECDomain type (defined in [X9.62]), allows all of the elliptic curve domain parameters to be explicitly specified. This choice MUST NOT be used.

Conspiracy theorists might now be inclined to speak of a bugdoor here, a backdoor that looks like an oversight.

The question remains, why is the NSA making this public? One reason for this can be observed very well. They can be celebrated as heroes. For the first time in their history, they did something positive. And some fools may even believe their Blablah now that they want to open a new page and from now on don't want to exploit important gaps but rather report them. This is of course absurd.

I think the NSA reported it because its own ass was at risk. The NSA has a dual role in the USA and also does the part that the BSI does separately with us. They write the requirement definitions for the military and the authorities. And they wrote in there that elliptical curves are totally awesome and safe, when Rüdi at the congress said, what kind of unproven speculative voodoo technology that is, and that it is better to stay with RSA. Back then, they committed themselves to elliptical curves quite boldly, and the military followed their recommendations. Microsoft has only added support for elliptic curves as far as I know because the NSA had written this to the authorities in the requirements and Microsoft wanted to be able to continue to supply authorities.

So if it now comes out that there is a bug in a "safe" system recommended by the NSA, which is due to the inherent fragility of the system, it damages the reputation of the NSA.

By the way, with such bugs you always have to keep one saying in mind: If the A team has such errors, what does the code of the B team look like?

I therefore say: The behavior of the NSA can be explained without suddenly emerging altruism."

Oh come now. Why do you think win 10 was free? They already have full access to your data, built in.

a reply to: dothedew

a reply to: SimpleIdea

vulnerability

What just now? I have been using windows 10 for several years and have been vulnerable from day one. Has anyone seen their desktop flash at them sort of like a camera flash. I don't now about you but I covered up that camera lens with a sticky note as per recommendations by the FBI several years ago. However, that may be a moot point since the advancement of cell phones they can now just watch you through the entire cell phone screen. My guess is they just use that code to hack into and through the desktops screen.

Former FBI director James Comey admitted back in September 2016 that he always covers his laptop’s webcam with tape after seeing Facebook's CEO Mark Zuckerburg doing the same with his laptop.

So I can see a NEW invention here.

I physical clear screen cover that you can place over your desk top or cell phone screen so a hacker cant see you from your phones or desktops screen. I could not find anything on a device such as this.

Has one already been invented?

a reply to: SimpleIdea

"They" probably found the exploit a while ago and have moved along to the next one.

From what I can read seems that one of the functions inside that dll fails but fails to fail properly.

Basically you should assume that the cert is not valid until every test you have has passed but probably somewhere a wierd logic bug has allowed the code to jump to the part that sets the valid value to true. The original cause could be perhaps down to a compiler optimization setting or the bit that failed didn't fail elegantly and did something stupid.

I'd guess the NSA were testing the api calls pretty much with as much garbage and crap to see what happened when it went wonky and found the flaw and given its a pretty obvious one by the sounds of it they just decided to get it fixed to keep consumer confidence up as if people don't trust the tech they won't use it and then theres a lot of bored spooks having to do real world stuff like standing on street corners holding newspapers to watch what you are doing.

originally posted by: dothedew
hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha

What that should state, is that:

"The NSA created a backdoor into Windows since they realized they didn't have one, so please update immediately so that the data collection can continue."

Seriously. The NSA just *"Happened"* to find this security flaw out of the kindness of their hearts?

Gimme a break. If you believe this, I have a bridge to sell you.

I'll take 3 fer the price of two.

originally posted by: Waterglass
What just now? I have been using windows 10 for several years and have been vulnerable from day one.

Yes I think to use windows 10 you must agree to the terms and conditions which involve collecting some data about you, so even with no bugs or exploits, it gives Microsoft a lot of data about you. If you use the built in picture viewer it sends some data to Microsoft with each photo you view, and Microsoft even published statistics on how many photos had been viewed on Windows 10 viewer. Someone also found screenshots of what they were looking at on their win10 computer were being sent to Microsoft. It's apparently allowed in the windows 10 terms and conditions people agree to.

Has anyone seen their desktop flash at them sort of like a camera flash. I don't now about you but I covered up that camera lens with a sticky note as per recommendations by the FBI several years ago. However, that may be a moot point since the advancement of cell phones they can now just watch you through the entire cell phone screen.

Sounds interesting, I haven't heard of that, can you post a link that explains how that works? I thought blocking the cameras with tape like Zuckerberg and Comey did would work, but there are two of them on smartphones usually, one on each side of the phone, so I know that needed more tape than the laptop or tablet which usually only has just the one cam.

a reply to: Arbitrageur

Sounds interesting, I haven't heard of that, can you post a link that explains how that works? I thought blocking the cameras with tape like Zuckerberg and Comey did would work, but there are two of them on smartphones usually, one on each side of the phone, so I know that needed more tape than the laptop or tablet which usually only has just the one cam

Good luck I cant find squat. All I know is that the Smart Phone can capture your picture or view whatever the phone is aimed towards from inside the screen.

HOWEVER; in response to your question I looked at my Samsung Galaxy Smart Phone. Just above the Samsung decal on the top of the phone is a rectangular slot. That's the lens. Just put your finger over it when you have the camera set for a reverse image of "you" and you can block it. Success?

originally posted by: Waterglass
a reply to: Arbitrageur

Sounds interesting, I haven't heard of that, can you post a link that explains how that works? I thought blocking the cameras with tape like Zuckerberg and Comey did would work, but there are two of them on smartphones usually, one on each side of the phone, so I know that needed more tape than the laptop or tablet which usually only has just the one cam

Good luck I cant find squat. All I know is that the Smart Phone can capture your picture or view whatever the phone is aimed towards from inside the screen.

HOWEVER; in response to your question I looked at my Samsung Galaxy Smart Phone. Just above the Samsung decal on the top of the phone is a rectangular slot. That's the lens. Just put your finger over it when you have the camera set for a reverse image of "you" and you can block it. Success?

Right, so you can cover up the camera lens on either side of the phone and that will work, using tape, finger or whatever.

What I didn't understand was the comment about that not working anymore because " since the advancement of cell phones they can now just watch you through the entire cell phone screen." So are you now thinking they can't "watch you through the entire cell phone screen" as you thought? All I can say is if that's the case, I never heard of it and I tried search but also found nothing, so I'm thinking covering the lens with tape still works.