Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
Fractal Design Focus 2 chassis review
Scythe Mugen 5 Rev.C CPU Cooler review
be quiet Pure Loop 2 FX 280mm LCS review
HP FX900 1 TB NVMe Review
Scythe FUMA2 Rev.B CPU Cooler review
SK Hynix Platinum P41 2TB M.2 NVMe SSD Review
Corsair K70 RGB PRO Mini Wireless review
MSI MPG A1000G - 1000W PSU Review
Goodram IRDM PRO M.2 SSD 2 TB NVMe SSD Review
Samsung T7 Shield Portable 1TB USB SSD review

New Downloads
Corsair Utility Engine Download (iCUE) Download v4.27.168
Download Intel network driver package 27.6
AMD Radeon Software Adrenalin 22.8.1 driver download
Prime95 download version 30.8 build 16
Memtest86 9.5 download
Intel ARC graphics Driver Download Version: 30.0.101.1743
GeForce 516.94 WHQL driver download
Display Driver Uninstaller Download version 18.0.5.4
FurMark Download v1.31
Intel HD graphics Driver Download Version: 31.0.101.3222


New Forum Topics
AMD Ryzen 7950X, 7900X, 7700X and 7600X Zen4 processors pricing at Canada etailer AMD Will Announce New Ryzen Processors during August 29 Livestream Event vga or hdmi to scart rgb with latest nvidia driver support.... AUKEY USB Type-C cable has digital display showing real-time power up to 100W Intel Core i9-13900K could get extreme performance mode at 350 Watt TDP Photo of an Actual AMD Ryzen 7 7700X Intel Arc A580 Appearing in AotS Benchmark Database, Comparable to RTX 3050/3060 Intel Arc A380 Desktop Graphics Card Pre-Orders in USA start at 139 USD ASUS ROG Swift OLED PG48 UQ specs disclose 4K organic EL display compatible with 138Hz / 0.1ms. NVIDIA GeForce Hotfix Driver Version 516.79




Guru3D.com » News » Rumor: Microsoft might share information on extremely critical vulnerability later today

Rumor: Microsoft might share information on extremely critical vulnerability later today

by Hilbert Hagedoorn on: 01/14/2020 03:53 PM | source: Krebsonsecurity via hardware.info | 22 comment(s)
Rumor: Microsoft might share information on extremely critical vulnerability later today

It's tagged as a rumor, but you can rest assured it'll become a fact. Keep an eye out on your Tuesday patches, and apply them. According to Krebs On Security, Microsoft is about to release info on an extremely critical vulnerability in Windows. 

Rumors are indicative that the issue is to be found in a cryptographic component, which is present in all Windows versions. A patch would be released starting today, Tuesday. Not much is known about the alleged vulnerability, except that it would be the CryptoAPI.

- Krebs - 

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

 

 

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company. This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. And that is the good news, a patch will be in place real soon.

Source: Krebs On Security via HWI



Rumor: Microsoft might share information on extremely critical vulnerability later today




« 31.5-inch Lenovo G32qc Gaming Monitor · Rumor: Microsoft might share information on extremely critical vulnerability later today · Review: Team Group MP33 NVMe 512 GB SSD »

5 pages 1 2 3 4 5


Gomez Addams
Senior Member



Posts: 213
Joined: 2019-04-15

#5750655 Posted on: 01/14/2020 06:35 PM
"According to Krebs On Security, Microsoft is about to release an extremely critical vulnerability in Windows."

I seriously doubt that is really what they are going to release.

JonasBeckman
Senior Member



Posts: 17562
Joined: 2009-02-25

#5750669 Posted on: 01/14/2020 07:06 PM
Well they do want people to use the newest build so maybe that'd do it...


What will they fix though the ease of which one bypasses the activation requirements? :p
(Well it's probably quite important but I guess we'll get some details in a hour or so when the update is actually out.)

EDIT: Sides they've been handing out free system upgrades for users on W7 way after the initial time period for that was out so yeah it's probably something quite important then.


Now what is it and what will it do to overall system performance. :D
(Eh it's probably not too bad in that regard.)

Hmm wonder if that means the current 19500 build is already using that fix, 19000 20H1 hasn't been updated since December and might be vulnerable still.

Guess a .xxx update for current 19000 build would also confirm it's kinda probably going to be the RTM build instead of issuing a full new build.
And whatever else for 19H2 and earlier this cumulative will fix up.

Rich_Guy
Senior Member



Posts: 12813
Joined: 2003-05-11

#5750727 Posted on: 01/14/2020 10:14 PM
and were patched! :D

bemaniac
Senior Member



Posts: 312
Joined: 2009-03-17

#5750762 Posted on: 01/14/2020 11:52 PM
whole bunch of new stuff just came down the pipe

BetA
Senior Member



Posts: 4412
Joined: 2008-03-03

#5750770 Posted on: 01/15/2020 12:51 AM
there you go....


Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains

Vulnerability Note VU#849224


Original Release Date: 2020-01-14 | Last Revised: 2020-01-14
Overview


The Microsoft Windows CryptoAPI fails to properly validate certificates that use Elliptic Curve Cryptography (ECC), which may allow an attacker to spoof the validity of certificate chains.
Description


The Microsoft Windows CryptoAPI, which is provided by Crypt32.dll, fails to validate ECC certificates in a way that properly leverages the protections that ECC cryptography should provide. As a result, an attacker may be able to craft a certificate that appears to have the ability to be traced to a trusted root certificate authority.
Any software, including third-party non-Microsoft software, that relies on the Windows CertGetCertificateChain() function to determine if an X.509 certificate can be traced to a trusted root CA may incorrectly determine the trustworthiness of a certificate chain.
Impact


By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature.
Solution


Apply an update

This vulnerability is addressed in the Microsoft Update for CVE-2020-0601.



Full CERT Report:
https://kb.cert.org/vuls/id/849224/





The NSA did found this one.. just on a side note.. (im pretty shure they even used it)


Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.
According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.
Update, 1:47 p.m. ET: Microsoft has released updates for this flaw (CVE-2020-0601). Their advisory is here. The NSA’s writeup (PDF) includes quite a bit more detail, as does the advisory from CERT.


Updated from Krebs
https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/


-- This issue was disclosed by Microsoft, who in turn credit the National Security Agency (NSA).

5 pages 1 2 3 4 5


Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2022