Author Topic: Major Windows 10 security flaw announced by the US NSA -update your Win 10  (Read 875 times)

0 Members and 1 Guest are viewing this topic.

Offline ssfc72

  • Member
  • Master
  • *
  • Posts: 1718
https://www.bbc.com/news/technology-51106356

Make sure you have your Windows 10 updated.   A patch has apparently just been issued. This is a major security flaw.
Mint 19.1 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MX Linux)
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason

  • Administrator
  • Master
  • *****
  • Posts: 3574
  • Humanist. Skeptic. Husband.
Thanks for sharing, Bill. I wondered what was meant by this:

Quote
It could, in theory, have allowed a hacker to pass off a piece of malicious software as being entirely legitimate.

Passed off in what way? Do they mean the Windows app store? BBC articles are always short on details.

Reading the CERT advisory on it and the Krebs article reveals some additional detail. It looks like websites can look to be legitimate by offering certificates that look like they were signed by an appropriate certificate authority but actually weren't. So they could spoof a website (with the same look) and get users to download software from it thinking it's legit and it's not. And because it looks like a legit certificate, the lock icon will appear at the top which will also make users trust the site since self-signed certificates generate a warning.

The vulnerability has existed in this library since the NT days so using Windows XP will be much more risky since security patches are no longer released for it. I know at least one member mentioned he still uses it.
« Last Edit: January 15, 2020, 05:01:06 pm by Jason Wallwork »
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata

Offline ssfc72

  • Member
  • Master
  • *
  • Posts: 1718
https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.
Mint 19.1 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MX Linux)
Cellphone ZTE Axon 7 Mini, PCMobile pay as you go

Offline Jason

  • Administrator
  • Master
  • *****
  • Posts: 3574
  • Humanist. Skeptic. Husband.
https://www.pcworld.com/article/3514172/microsoft-nsa-confirm-killer-windows-10-bug-but-a-patch-is-available.html

According to the above article,  the security flaw does not affect Windows 7. 

The CERT article does say Windows 8.1 and earlier are not affected.

You have an eagle eye, Bill. I missed that part of the CERT advisory. Krebs suggested that in his article as the package in question has been there since the NT days. But I'd trust the advisory over what he says. Talk about irony that older versions of Windows are safe from it.
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata