ASUS TUF Gaming B760-PLUS WIFI D4 review
Netac NV7000 2 TB NVMe SSD Review
ASUS GeForce RTX 4080 Noctua OC Edition review
MSI Clutch GM51 Wireless mouse review
ASUS ROG STRIX B760-F Gaming WIFI review
Asus ROG Harpe Ace Aim Lab Edition mouse review
SteelSeries Arctis Nova Pro Headset review
Ryzen 7800X3D preview - 7950X3D One CCD Disabled
MSI VIGOR GK71 SONIC Blue keyboard review
AMD Ryzen 9 7950X3D processor review
Microsoft patches crypt32.dll vulnerability that allows certificate spoofing
Yesterday we shared news about a big potential vulnerability with a Microsoft Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions. You should have received a patch update, and now the specifics are shared.
Microsoft on Tuesday rolled out an important security fix after the U.S. National Security Agency tipped off the company to a serious flaw in its widely used Windows operating system.
The patch closes a really serious leak in Windows allowing allows attackers to spoof digital certificates. By exploiting that, encrypted communication can be intercepted or a man-in-the-middle attack can be performed. Crypt32.dll is a component within Windows that validates certificates. The vulnerability in Crypt32.dll makes it possible to spoof Elliptic Curve Cryptography, or ECC certificates. Windows creates such ECC certificates, among other things, when handling https traffic.
The patches address the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10, Windows Seerver 2016 and Server 2019 systems. The vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability is classed "Important" and Microsoft says it has not seen it used in active attacks. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.
Microsoft classifies the update as "Important" and recommends that companies install it as quickly as possible. The NSA shared the same sentiment. "The consequences of not patching this vulnerability are large and widespread," writes the intelligence service in a description. "Tools that can exploit this from a distance are likely to be created and distributed quickly."
Please make sure you hit that Windows update button today.
Rumor: Microsoft might share information on extremely critical vulnerability later today - 01/14/2020 03:53 PM
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release an extre...
Promo: URCDKey Sale: Get Microsoft Office 2016 for $29.82 - 01/10/2020 11:11 AM
URCDKey is a license sites available for various platforms, whether for software or games. This time URCDKeys brings an offer at a competitive price, Microsoft Windows 10 Pro OEM and Office 2016 combo...
Microsoft shows several images of the Xbox Series X AMD SoC - 01/08/2020 10:27 AM
You can always tell it is an AMD chip by that metal side plating eh? Through their Twitter accounts, David Prien, Xbox Senior Hardware Director, and Xbox Head himself, Phil Spencer, revealed two imag...
Microsoft Flight Simulator - Snow Gameplay - 01/03/2020 09:16 AM
Asobo Studio shared a new Microsoft Flight Simulator gameplay video which shows snow environments. The simularor looks just spectacular. ...
Microsoft at it again, advertising Gmail in Windows 10 Mail points to Outlook - 12/17/2019 11:28 AM
Perhaps you already have noticed it, Microsoft has started select advertising in the Windows suite. For example, in your Windows 10 mail app, you'll now see 'Get Gmail on your phone'. As if that by...
Rich_Guy
Senior Member
Posts: 13005
Joined: 2003-05-11
Senior Member
Posts: 13005
Joined: 2003-05-11
#5751094 Posted on: 01/15/2020 07:52 PM
Yeah, should have stuck with those, more secure
windows 8.1 and 7 are immune 
Yeah, should have stuck with those, more secure
JamesSneed
Senior Member
Posts: 1665
Joined: 2017-02-14
Senior Member
Posts: 1665
Joined: 2017-02-14
#5751367 Posted on: 01/16/2020 04:57 PM
@fantaskarsef
unless foil is different where you live, its not tin,
so there is no tinfoil hat you can wear.
Tin foil existed prior to aluminum being invented. The name "tin foil hat" dates back to those days when it was an actual product. The name has simply stuck. I personally think it is a lot easier to say than "aluminum foil hat" so I won't complain.
@fantaskarsef
unless foil is different where you live, its not tin,
so there is no tinfoil hat you can wear.
Tin foil existed prior to aluminum being invented. The name "tin foil hat" dates back to those days when it was an actual product. The name has simply stuck. I personally think it is a lot easier to say than "aluminum foil hat" so I won't complain.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 959
Joined: 2015-11-21
https://en.wikipedia.org/wiki/Tin-foil-hat