Peterborough Linux User Group (Canada) Forum

Linux & Android => Security and Privacy => Topic started by: ssfc72 on January 14, 2020, 03:20:35 PM

Title: Major Windows 10 security flaw announced by the US NSA -update your Win 10
Post by: ssfc72 on January 14, 2020, 03:20:35 PM
https://www.bbc.com/news/technology-51106356

Make sure you have your Windows 10 updated.   A patch has apparently just been issued. This is a major security flaw.
Title: Re: Major Windows 10 security flaw announced by the US NSA -update your Win 10
Post by: Jason on January 14, 2020, 04:19:30 PM
Thanks for sharing, Bill. I wondered what was meant by this:

QuoteIt could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.

Passed off in what way? Do they mean the Windows app store? BBC articles are always short on details.

Reading the CERT advisory (https://kb.cert.org/vuls/id/849224/) on it and the Krebs article (https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/) reveals some additional detail. It looks like websites can look to be legitimate by offering certificates that look like they were signed by an appropriate certificate authority but actually weren't. So they could spoof a website (with the same look) and get users to download software from it thinking it's legit and it's not. And because it looks like a legit certificate, the lock icon will appear at the top which will also make users trust the site since self-signed certificates generate a warning.

The vulnerability has existed in this library since the NT days so using Windows XP will be much more risky since security patches are no longer released for it. I know at least one member mentioned he still uses it.
Title: Re: Major Windows 10 security flaw announced by the US NSA -update your Win 10
Post by: ssfc72 on January 15, 2020, 04:18:59 AM
https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.
Title: Re: Major Windows 10 security flaw announced by the US NSA -update your Win 10
Post by: Jason on January 15, 2020, 05:00:04 PM
Quote from: ssfc72 on January 15, 2020, 04:18:59 AM
https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html (https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html)

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.

You have an eagle eye, Bill. I missed that part of the CERT advisory. Krebs suggested that in his article as the package in question has been there since the NT days. But I'd trust the advisory over what he says. Talk about irony that older versions of Windows are safe from it.