Security Week 04: crypto problems in Windows 10

The main news last week was a vulnerability in the Windows crypto library related to incorrect verification of digital certificates. The problem was closed by a cumulative patch released on Tuesday, January 14th. According to Microsoft, there were no real attacks prior to information disclosure. Vulnerability seems to be the first time in history discovered by the US National Security Agency. More precisely, the NSA is probably engaged in the search for vulnerabilities and (possibly) exploiting them on a regular basis, but this is the first time that information is publicly transmitted to the vendor on behalf of the NSA.

The vulnerability affects the latest versions of Windows 10 and Windows Server 2016/2019. On the CVSSv3 scale, it is rated at 8.1 points – quite seriously, but there have been worse events. For an unpatched system, it opens up the possibility of a highly believable MiTM attack. That is, you can direct the user to a fake website so that the browser does not even swear at the absence or incorrectness of the certificate. Similarly, software with a fake certificate will be identified as legitimate. This is not as dangerous as previously discovered vulnerabilities in remote access services, but bad enough for an unusual collaboration between the NSA and Microsoft.

Primary Sources:
Newsletter Microsoft
Fast Microsoft Blog Details
Advisory National Security Agencies
Proof of Concept: time, two, three
Article Brian Krebs, who was the first to report the vulnerability and the upcoming patch

Funny pictures (from here):

From the screenshots it’s clear what the problem is. Due to an error in the Crypt32.dll library, Windows skips an important step when checking cryptographic keys using elliptic curves. Accordingly, it becomes possible to create your own certificate, which the operating system considers correct. Kudelski Security has created website to check for vulnerabilities. The page is signed with a fake Github certificate, and after installing the patch, the browser should swear at the domain and certificate mismatch. On an unpatched system, the certificate is recognized as valid and the contents of the page are displayed:

The first reports of the vulnerability claimed that it applies to all versions of Windows for almost the last 20 years, but this is not so. Only a couple of the latest builds of Windows 10 and the latest versions of Windows Server are supported. Windows 7 did not have to be patched. And it would be interesting, since support for this operating system ended this month.

The scope of the vulnerability is also limited by the features of the interaction of the software with the Windows crypto library. In all cases, you can fake a digital signature of third-party software. It is not possible to fake Windows system updates – they use a different encryption algorithm. It is possible to fake certificates for websites in Internet Explorer, Microsoft Edge browsers and in any other browsers based on the Chromium engine. Firefox is not affected, as it uses its own certificate validation system.

In some cases, anti-virus software considers the presence of a certificate proof of the harmlessness of the program, so the vulnerability could theoretically facilitate the infection of a computer with malware. However, according to Kaspersky Lab, such a number will not work with its products. In general, we can say that it worked out: unpatched systems are subject to a rather serious risk, but for this it is necessary to create conditions for the successful conduct of the MiTM attack. Much more dangerous could be bug in Internet Explorer, which is already used in real attacks and for which there is no patch yet.

What else happened

Together with the crypto bug was closed Another serious vulnerability in Remote Desktop Services that could theoretically be used to execute arbitrary code.

Has appeared public exploit for critical vulnerabilities in Cisco routers. Vulnerability, closed January 3, can be used to gain full control over a network device.

Next critical found vulnerabilities in WordPress plugins (InfiniteWP Client and WP Time Capsule). Approximately 300 thousand sites are affected, bugs allow you to obtain administrator rights without entering a password.

For two years google will stop Support cookies from third-party sites – now this is the main way to track user behavior for advertising purposes.

Last week Apple again refused unlock the terrorist’s phone at the request of the FBI. Last time (in 2016), the FBI managed on its own, but since then the protection of Apple phones has seriously improved. This is essentially a continuation of the discussion about the weakening of data encryption methods for national security purposes.

Similar Posts

Leave a Reply