NSA: why donate CryptoAPI 0day to Microsoft?

Η κυκλοφόρησε χθες το βράδυ τις ενημερώσεις του for Windows 10 and the . Μια από τις που επιδιόρθωσε η εταιρεία ήταν και μια που τους έδωσε η NSA. Για την συγκεκριμένη ευπάθεια είχαμε reported yesterday before the patch was released by Microsoft.

The vulnerability affects the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve encryption certificates (from Elliptic Curve or simply ECL).


A successful exploitation gives the attacker the power to carry out man-in-the-middle attacks and is then able to decrypt sensitive information.

"An attacker could exploit the vulnerability by using a forged certificate to sign a malicious executable. , making it appear trustworthy and from a legitimate source. The user has no way of knowing that the file is malicious because its digital signature appears to come from a trusted provider,” Microsoft says.

The vulnerability has been described as "significant" and Microsoft explains that exploitation is possible. However, the company is not aware of any attacks at this time.

On the other hand, the NSA published an article of its own about the defect, urging all update windows as soon as possible.

"Vulnerability jeopardizes key points of Windows in a wide range of operators. The NSA believes that the vulnerability is serious and that cybercriminals will quickly grasp the underlying security vulnerability and, if exploited, make the aforementioned platform fundamentally vulnerable. The consequences of not covering the vulnerability will be serious and widespread. "

All versions of Windows 10 released to date are affected, including Windows Server 2016, Windows Server 2019, and Windows Server in versions 1809, 1903, and 1909. The patches are included in this month's cumulative updates.

Of course the NSA seems to be trying to build its public profile by opening up a very serious vulnerability in Windows, with official press releases (PDF) etc. But what the information collection service of the , is how long it has known about the vulnerability and announced it now.

Because in the case of the NSA and any intelligence service, paranoia is half true.
The NSA may have known about the vulnerability and did not disclose it for obvious reasons, until it discovered that others knew.

The above scenario best fits the way the like the NSA, as altruism is known not to characterize them.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).