Arctic Liquid Freezer II 280 liquid cooler review
Promo: Windows 10 Pro licenses for under 10 USD
Team Group MP33 NVMe 512 GB SSD Review
ADATA SE800 1TB Portable SSD review
Promo: Microsoft Office 2016 for $29.82
Corsair H100i RGB Pro XT liquid cooler review
Corsair K95 RGB PLATINUM XT review
AORUS Radeon RX 5700 XT 8G review
Endgame XM1 gaming mouse review
Guru3D Rig of the Month - December 2019
Microsoft patches crypt32.dll vulnerability that allows certificate spoofing
Yesterday we shared news about a big potential vulnerability with a Microsoft Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions. You should have received a patch update, and now the specifics are shared.
Microsoft on Tuesday rolled out an important security fix after the U.S. National Security Agency tipped off the company to a serious flaw in its widely used Windows operating system.
The patch closes a really serious leak in Windows allowing allows attackers to spoof digital certificates. By exploiting that, encrypted communication can be intercepted or a man-in-the-middle attack can be performed. Crypt32.dll is a component within Windows that validates certificates. The vulnerability in Crypt32.dll makes it possible to spoof Elliptic Curve Cryptography, or ECC certificates. Windows creates such ECC certificates, among other things, when handling https traffic.
The patches address the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10, Windows Seerver 2016 and Server 2019 systems. The vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability is classed "Important" and Microsoft says it has not seen it used in active attacks. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider. Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.
Microsoft classifies the update as "Important" and recommends that companies install it as quickly as possible. The NSA shared the same sentiment. "The consequences of not patching this vulnerability are large and widespread," writes the intelligence service in a description. "Tools that can exploit this from a distance are likely to be created and distributed quickly."
Please make sure you hit that Windows update button today.
Rumor: Microsoft might share information on extremely critical vulnerability later today - 01/14/2020 02:53 PM
It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release an extre...
Promo: URCDKey Sale: Get Microsoft Office 2016 for $29.82 - 01/10/2020 10:11 AM
URCDKey is a license sites available for various platforms, whether for software or games. This time URCDKeys brings an offer at a competitive price, Microsoft Windows 10 Pro OEM and Office 2016 combo...
Microsoft shows several images of the Xbox Series X AMD SoC - 01/08/2020 09:27 AM
You can always tell it is an AMD chip by that metal side plating eh? Through their Twitter accounts, David Prien, Xbox Senior Hardware Director, and Xbox Head himself, Phil Spencer, revealed two imag...
Microsoft Flight Simulator - Snow Gameplay - 01/03/2020 08:16 AM
Asobo Studio shared a new Microsoft Flight Simulator gameplay video which shows snow environments. The simularor looks just spectacular. ...
Microsoft at it again, advertising Gmail in Windows 10 Mail points to Outlook - 12/17/2019 10:28 AM
Perhaps you already have noticed it, Microsoft has started select advertising in the Windows suite. For example, in your Windows 10 mail app, you'll now see 'Get Gmail on your phone'. As if that by...
KissSh0t
Senior Member
Posts: 7262
Joined: 2011-10-22
Senior Member
Posts: 7262
Joined: 2011-10-22
#5750881 Posted on: 01/15/2020 09:01 AM
Pfttt... NSA, can you believe they used to try putting listening devices inside our homes?
Well... the NSA advises you to install the patch to the discovered vulnerability they discovered... wait, let me get my tin foil, I'll be right back 
Pfttt... NSA, can you believe they used to try putting listening devices inside our homes?
Hey alexa, play despacito.
386SX
Senior Member
Posts: 651
Joined: 2017-06-26
Senior Member
Posts: 651
Joined: 2017-06-26
#5750884 Posted on: 01/15/2020 09:14 AM
I already posted this yesterday and urged users to update. Yes, it is really THIS bad. If unpatched, you could fall for spoofed certificates because your computer would think they are valid.
VPNs use certificates mostly, because "passwords are weak".
Webservers use certificates to encrypt the connection (online banking, webshops, you name it).
And much much more ....
So please update, at least this update, so you dont fall for this and you protect others by hardening your defense, so your computer wont be turned into a zombie.
BRAAAAAAAAAAAAAIIIIIIIIIIIIIIIIIIIIIIIIIIIINS!
I already posted this yesterday and urged users to update. Yes, it is really THIS bad. If unpatched, you could fall for spoofed certificates because your computer would think they are valid.
VPNs use certificates mostly, because "passwords are weak".
Webservers use certificates to encrypt the connection (online banking, webshops, you name it).
And much much more ....
So please update, at least this update, so you dont fall for this and you protect others by hardening your defense, so your computer wont be turned into a zombie.
BRAAAAAAAAAAAAAIIIIIIIIIIIIIIIIIIIIIIIIIIIINS!
fantaskarsef
Senior Member
Posts: 11132
Joined: 2014-07-21
Senior Member
Posts: 11132
Joined: 2014-07-21
#5750886 Posted on: 01/15/2020 09:19 AM
I also wonder how the NSA discovered that... what certs they had rigged and suffered from it.
And, iirc, that lately there's been rigged certs for update programs of large companies (Asus?), rigged certs for "security" software (Avira?).
I also wonder how the NSA discovered that... what certs they had rigged and suffered from it.
And, iirc, that lately there's been rigged certs for update programs of large companies (Asus?), rigged certs for "security" software (Avira?).
Astyanax
Senior Member
Posts: 4291
Joined: 2018-03-21
Senior Member
Posts: 4291
Joined: 2018-03-21
#5750890 Posted on: 01/15/2020 09:33 AM
windows 8.1 and 7 are immune
windows 8.1 and 7 are immune
sverek
Senior Member
Posts: 5506
Joined: 2011-01-02
Senior Member
Posts: 5506
Joined: 2011-01-02
#5750894 Posted on: 01/15/2020 10:05 AM
I also wonder how the NSA discovered that... what certs they had rigged and suffered from it.
And, iirc, that lately there's been rigged certs for update programs of large companies (Asus?), rigged certs for "security" software (Avira?).
NSA: hey M$ remember the backdoor we asked you to open?
M$: yeah
NSA: close it, we found better one
M$: oh... ok
I also wonder how the NSA discovered that... what certs they had rigged and suffered from it.
And, iirc, that lately there's been rigged certs for update programs of large companies (Asus?), rigged certs for "security" software (Avira?).
NSA: hey M$ remember the backdoor we asked you to open?
M$: yeah
NSA: close it, we found better one
M$: oh... ok
Mundosold
Senior Member
Posts: 116
Joined: 2012-10-04
Senior Member
Posts: 116
Joined: 2012-10-04
#5750914 Posted on: 01/15/2020 11:29 AM
This might be the nastiest security hole in 15+ years. Even specter/meltdown weren't this bad in terms of real world exploit potential.
This might be the nastiest security hole in 15+ years. Even specter/meltdown weren't this bad in terms of real world exploit potential.
Astyanax
Senior Member
Posts: 4291
Joined: 2018-03-21
Senior Member
Posts: 4291
Joined: 2018-03-21
#5750925 Posted on: 01/15/2020 11:48 AM
it covered a specific certificate chain which is not widely used.
This might be the nastiest security hole in 15+ years. Even specter/meltdown weren't this bad in terms of real world exploit potential.
it covered a specific certificate chain which is not widely used.
mbk1969
Senior Member
Posts: 8378
Joined: 2013-01-17
Senior Member
Posts: 8378
Joined: 2013-01-17
#5750929 Posted on: 01/15/2020 11:57 AM
Microsoft to Intel: Learn how to make vulnerabilities - more than 20 years and not a single scandal.
Microsoft to Intel: Learn how to make vulnerabilities - more than 20 years and not a single scandal.
Zooke
Senior Member
Posts: 188
Joined: 2016-09-21
Senior Member
Posts: 188
Joined: 2016-09-21
#5750943 Posted on: 01/15/2020 12:36 PM
NSA: hey M$ remember the backdoor we asked you to open?
M$: yeah
NSA: close it, we found better one
M$: oh... ok
I think the conversation went more along the lines of
NSA Mr X: Holy Shit, has found out about the certificate exploit we have been using for years.
NSA Boss: Damn, let MS know, tell them we only discovered it yesterday. Tell them to publicly thank us too, make people think we have done it for their safety.
NSA Mr X: Spy on everyone for years and still come out of it smelling of roses, that's why you're the boss, Boss.
NSA: hey M$ remember the backdoor we asked you to open?
M$: yeah
NSA: close it, we found better one
M$: oh... ok
I think the conversation went more along the lines of
NSA Mr X: Holy Shit,
NSA Boss: Damn, let MS know, tell them we only discovered it yesterday. Tell them to publicly thank us too, make people think we have done it for their safety
NSA Mr X: Spy on everyone for years and still come out of it smelling of roses, that's why you're the boss, Boss.
kakiharaFRS
Senior Member
Posts: 249
Joined: 2015-11-21
Senior Member
Posts: 249
Joined: 2015-11-21
#5750945 Posted on: 01/15/2020 12:37 PM
thanks for the news Guru3d clicked that
thanks for the news Guru3d clicked that
like/bell
update
asap
tunejunky
Senior Member
Posts: 888
Joined: 2017-08-18
Senior Member
Posts: 888
Joined: 2017-08-18
#5750985 Posted on: 01/15/2020 02:54 PM
like most of you i'm a bit caught off guard by the NSA acting like a regular joe. so much so, like you, that i'm entirely skeptical of this whole deal.
i still patched it tho
ops:
like most of you i'm a bit caught off guard by the NSA acting like a regular joe. so much so, like you, that i'm entirely skeptical of this whole deal.
i still patched it tho
ops:
geogan
Senior Member
Posts: 438
Joined: 2010-01-04
Senior Member
Posts: 438
Joined: 2010-01-04
#5750988 Posted on: 01/15/2020 03:06 PM
Only reason NSA would release this information is if they found out enemies were using it too now. Otherwise they would have kept it to themselves and continued using it for ever.
Can you just imagine how many other exploits they know about, are using, and are not telling about?
They are NOT the good guys.
Only reason NSA would release this information is if they found out enemies were using it too now. Otherwise they would have kept it to themselves and continued using it for ever.
Can you just imagine how many other exploits they know about, are using, and are not telling about?
They are NOT the good guys.
schmidtbag
Senior Member
Posts: 4632
Joined: 2012-11-10
Senior Member
Posts: 4632
Joined: 2012-11-10
#5750990 Posted on: 01/15/2020 03:09 PM
It's within the NSA's interest to improve security among the general populous, hence the name of the organization. Whether or not you are secure from them is a completely different story. I doubt this patch is making their efforts to spy on you much harder, but, it probably makes it harder for others to do so.
So - if you just accept the fact the NSA is going to watch you no matter what, I'd consider this patch a win.
It's within the NSA's interest to improve security among the general populous, hence the name of the organization. Whether or not you are secure from them is a completely different story. I doubt this patch is making their efforts to spy on you much harder, but, it probably makes it harder for others to do so.
So - if you just accept the fact the NSA is going to watch you no matter what, I'd consider this patch a win.
fry178
Senior Member
Posts: 1317
Joined: 2012-04-30
Senior Member
Posts: 1317
Joined: 2012-04-30
#5751077 Posted on: 01/15/2020 06:18 PM
@fantaskarsef
unless foil is different where you live, its not tin,
so there is no tinfoil hat you can wear.
@fantaskarsef
unless foil is different where you live, its not tin,
so there is no tinfoil hat you can wear.
Click here to post a comment for this news story on the message forum.
Senior Member
Posts: 11132
Joined: 2014-07-21
Well... the NSA advises you to install the patch to the discovered vulnerability they discovered... wait, let me get my tin foil, I'll be right back