Microsoft to patch NSA reported vulnerability

[Bombastinator]

https://www.tomsguide.com/news/microsoft-patch-tuesday-jan20

 

I first saw this reported on CNBC of all places.  According to that report, which I can’t seem to link, it was interesting because the NSA does not normally report vulnerabilities it finds.  It’s possible this is old news.

pasting the body copy from the CNBC article because it’s all I can link.  It’s apparently confirmed at least as to the subject by the tomsguide article.  I can’t speak to the accuracy of either myself.

Quote

Microsoft will patch Windows 10 after the NSA quietly told it about a major vulnerability

Microsoft will release a patch Tuesday for a significant flaw in the Windows operating system, according to intelligence officials and a report.

The National Security Agency told Microsoft about the flaw.

The cooperation is somewhat of a departure. In the past the NSA has kept some flaws secret to use them as part of the U.S. tech arsenal. 

The National Security Agency alerted Microsoft in recent weeks to a significant issue affecting its Windows 10 operating system, ubiquitous within corporations and among consumers, two senior federal cybersecurity officials told CNBC.

The flaw affected encryption of digital signatures used to authenticate content, including software or files. If exploited, the flaw could allow criminals to send malicious content with fake signatures that make it appear safe. The finding was reported earlier by the Washington Post.

It was unclear how long the NSA knew about the flaw before reporting it to Microsoft. The cooperation, however, is a departure from past interactions between the NSA and major software developers like Microsoft. In the past, the top security agency has kept some major vulnerabilities secret in order to use them as part of the U.S. tech arsenal.

Microsoft did not immediately respond to request for comment.

According to the Post, the NSA said in a Tuesday morning call with cybersecurity experts that Microsoft will report that it had not seen any exploitation of the flaw. The NSA is expected to announce its findings later on Tuesday.

Follow @CNBCtech on Twitter for the latest tech industry news.

 

[Curious Pineapple]

I guess they were hit by the issue, and only reported it as it affected them?

[Bombastinator]

1 minute ago, Curious Pineapple said:

I guess they were hit by the issue, and only reported it as it affected them?

Possibly.  It could also be they found someone else using it.
 

CNBC article said they find vulnerabilities but. Don’t report them normally.
 NSA is anti spy.  They’re tasked with keeping foreign powers from spying on the USA.  The CIA has extremely limited powers in the USA the NSA has extremely limited powers outside of it.  If they’re reporting something they don’t normally report it may be to stop another problem.  One that may have already occurred.

[bcredeur97]

11 minutes ago, Bombastinator said:

Possibly.  It could also be they found someone else using it.
 

CNBC article said they find vulnerabilities but. Don’t report them normally.
 NSA is anti spy.  They’re tasked with keeping foreign powers from spying on the USA.  The CIA has extremely limited powers in the USA the NSA has extremely limited powers outside of it.  If they’re reporting something they don’t normally report it may be to stop another problem.  One that may have already occurred.

considering the poor relations with Iran right now maybe they are doing this as a national security precaution too

[Curious Pineapple]

Great timing too, just as Win 7 support ends leaving every non-enterprise insrtallation out there open to this flaw. Anyone else see the "convenience" in this?

[mr moose]

11 hours ago, Curious Pineapple said:

Great timing too, just as Win 7 support ends leaving every non-enterprise insrtallation out there open to this flaw. Anyone else see the "convenience" in this?

The article said windows 7 and 8 aren't affected.

[Ashley MLP Fangirl]

if the NSA reported it rather than hide it and use it themselves it must be such a big problem that ordinary hackers could have figured it out, which is quite scary... 

[lewdicrous]

2 minutes ago, Twilight said:

if the NSA reported it rather than hide it and use it themselves it must be such a big problem that ordinary hackers could have figured it out, which is quite scary... 

I wonder if they used it to their advantage before they reported it.

[Bombastinator]

19 minutes ago, lewdicrous said:

I wonder if they used it to their advantage before they reported it.

It’s unknown how long they had it.  Their job is to spy on spys.  Might have been useful.  Giving it to Microsoft basically shuts it down though.

[thorhammerz]

21 minutes ago, lewdicrous said:

I wonder if they used it to their advantage before they reported it.

Also curious whether or not the "security patch" itself contains a backdoor for the NSA, seeing as they went out of their way to go public with it ("building trust with cyber-security researchers" is about as corny as it gets, when it's all talk and little action).

[Bombastinator]

6 minutes ago, thorhammerz said:

Also curious whether or not the "security patch" itself contains a backdoor for the NSA, seeing as they went out of their way to go public with it ("building trust with cyber-security researchers" is about as corny as it gets, when it's all talk and little action).

It would be interesting to know whether they provided a patch or just described the problem.

[Doobeedoo]

Well, good it got fixed very soon if it was rellay a sever vulnerability though. 

[Curious Pineapple]

11 hours ago, mr moose said:

The article said windows 7 and 8 aren't affected.

*cleans monitor*

 

Not the first time a speck of dust has made a . look like a ,

 

I'll go hide now

[vorticalbox]

23 hours ago, Curious Pineapple said:

I guess they were hit by the issue, and only reported it as it affected them?

Actually keeping easier to find exploits hidden would lower the security of the USA, remember the nsa is also there to protect the US from cyber attacks.

 

The really obscure exploits that are unlikely to be found is what they are after.

[AlexOak]

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/ (First to report on this)

 

Quote

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

Quote

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

 

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

The quote above are from the article posted. And it seems it has to do with crpt32.dll which is on all versions of windows. 

[captain_to_fire]

On 1/15/2020 at 2:43 PM, lewdicrous said:

I wonder if they used it to their advantage before they reported it.

 

 

[mr moose]

On 1/16/2020 at 6:09 AM, AlexOak said:

https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/ (First to report on this)

 

The quote above are from the article posted. And it seems it has to do with crpt32.dll which is on all versions of windows. 

The article specifically says it doesn't effect windows 7 or 8.   I would assume the issue is a combination of some other part of windows 10 and crpt32.dll.