Critical Windows Vulnerability Discovered by NSA

Yesterday’s Microsoft Windows patches included a fix for a critical vulnerability in the system’s crypto library.

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

That’s really bad, and you should all patch your system right now, before you finish reading this blog post.

This is a zero-day vulnerability, meaning that it was not detected in the wild before the patch was released. It was discovered by security researchers. Interestingly, it was discovered by NSA security researchers, and the NSA security advisory gives a lot more information about it than the Microsoft advisory does.

Exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples where validation of trust may be impacted include:

  • HTTPS connections
  • Signed files and emails
  • Signed executable code launched as user-mode processes

The vulnerability places Windows endpoints at risk to a broad range of exploitation vectors. NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable.The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners.

Early yesterday morning, NSA’s Cybersecurity Directorate head Anne Neuberger hosted a media call where she talked about the vulnerability and—to my shock—took questions from the attendees. According to her, the NSA discovered this vulnerability as part of its security research. (If it found it in some other nation’s cyberweapons stash—my personal favorite theory—she declined to say.) She did not answer when asked how long ago the NSA discovered the vulnerability. She said that this is not the first time the NSA sent Microsoft a vulnerability to fix, but it was the first time it has publicly taken credit for the discovery. The reason is that the NSA is trying to rebuild trust with the security community, and this disclosure is a result of its new initiative to share findings more quickly and more often.

Barring any other information, I would take the NSA at its word here. So, good for it.

And—seriously—patch your systems now: Windows 10 and Windows Server 2016/2019. Assume that this vulnerability has already been weaponized, probably by criminals and certainly by major governments. Even assume that the NSA is using this vulnerability—why wouldn’t it?

Ars Technica article. Wired article. CERT advisory.

EDITED TO ADD: Washington Post article.

EDITED TO ADD (1/16): The attack was demonstrated in less than 24 hours.

Brian Krebs blog post.

Tags: , , , , , , , , ,

Posted on January 15, 2020 at 6:38 AM79 Comments

Comments

Clive Robinson January 15, 2020 7:18 AM

@ Bruce,

I know you wrote this in a hurry, because your proof reading is lower than is normally apparent.

The NSA and it’s research team might feel a little miffed with,

    If it found it in some other nation’s cyberweapons stash

But to do it twice…,

    She said that this is not the first time it sent the Microsoft a vulnerability to fix

After all “they” would have been so much nicer, but I can maybe understand “the Microsoft” because they are now bigger than a small nation 0:)

Vesselin Bontchev January 15, 2020 7:31 AM

Let’s not panic over this one, shall we?

The vulnerability exists only in Win10 (server and workstation). This means that expoiting it in HTTPS for mass spying is not practical. Even if you MitM the connections (which is hard to do at scale), the sites will stop working when viewed in other OSes.

You can’t use it to deliver a malicious Windows Update. Those use RSA signatures and the vulnerability is in ECC signatures only.

Basically, you can use it only to fool setups that would accept ECC signatures that use custom curves.

It is very much useless to the NSA – which, I guess, is why they disclosed it and made a lot of noise about it in an attempt to repair their image from the damage caused by EthernalBlue.

There are much more serious vulnerabilities in the recent patch – like RCEs in the Remote Desktop Gateway which companies use to protect the machines accessible via Remote Desktop on their Active Directory networks.

So, yes, do patch – but don’t lose your marbles over this one. To a large degree, it’s an NSA PR campaign.

See this for a good technical description of the vulnerability.

Anders January 15, 2020 9:13 AM

Since WIN7 does not support ECC keys with parameters,
they killed a perfectly good OS for no reason.

MarkH January 15, 2020 9:16 AM

@Vesselin Bontchev:

Thanks for the link to an “explainer” of how this vulnerability was created.

Not only is the error an elementary one, but also Microsoft had to violate an RFC in order to code it that way …

JonKnowsNothing January 15, 2020 9:23 AM

re:

the NSA discovered this vulnerability as part of its security research

Even assume that the NSA is using this vulnerability — why wouldn’t it?

So… leaving the digging to more the qualified, the unqualified wonder:

  • Spoofing of all updates from any source have been known to be Spoofed.
  • Certificates have been Spoofed.
  • Un-tampered Code have had MITM injections.

So the NSA under the Good Guys Act want a massive update fix to something they use or used?

  • Why NOW?
  • What brings the NSA out from under their rock?
  • Why the NSA charade of being “deeply concerned”?
  • What did the NSA blow up?
    Must have tried to use it and had a STUXNET moment.
  • What did the NSA embed inside the so-called fix?
  • The NSA is implementing a form of Global Economic Stimulation?
  • The NSA has bet through channels on Wall Street on the Disaster Capitalism effect for non-patchable systems?

I’m pretty sure the answers are all found in: Huawei

ht tps://en.wikipedia.org/wiki/Stuxnet
(url fractured to prevent autorun)

kiwano January 15, 2020 9:49 AM

Whatever the NSA’s motivations may have been for publishing/fixing this bug instead of hoarding it, I think it’s important to express our appreciation that someone there made the right call to prioritize defence over offence in this case. Possibly even to our elected representatives. Too bad we probably can’t score the positive reinforcement of getting the decision-maker on this a medal for this decision — or at least a ribbon, I mean c’mon, the marksmanship ribbon is a thing…

me January 15, 2020 10:01 AM

probably the NSA “asked” microsoft to place such bugdoor, than abused as much as èossible then some other state actor found it by themself or because the nsa was using it against them and copied the exploit.
so nsa disclosed it.

for sure they have not disclosed it because they are good.
bug or bugdoor they wanted it fixed only because someone else found it too.

me January 15, 2020 10:07 AM

@kiwano

appreciation that someone there made the right call to prioritize defence over offence in this case

or maybe they found someone using it and decided to kill the bug.
and maybe that someone found it by copying it from nsa in first place

Curious January 15, 2020 11:51 AM

Just want to jump in here and say, that if this perhaps has anything to do with with tricking someone on the other end, in giving them a point on a curve and then with the one on the other end not bothering check if the point offered is actually on the curve or not before responding, that is afaik a type of problem re. ECC stuff that Daniel Bernstein has talked about years ago. As I am not a cryptographer and don’t really know much about ECC, I don’t really know that well just what is required for a problem like that to become relevant. My impression was that ECC crypto can be broken this way by not checking if a stated point is on a curve or not, but I guess there are intricacies re. all of that stuff, not sure how relevant an exploit like that can be today.

I wonder, why now, this news, as regular Windows 7 users by January 14. is officially not supported with security updates anymore.

What would Microsoft’s advice be, if they aren’t officially supporting regular Windows 7 use anymore? Do regular Win7 users perhaps get some funky update, while those with some extended support for Win 7 get proper security updates? I would think that regular Win 7 users don’t get any support at all today January 15, if Win 7 support ended Jan. 14. Not sure what to think about this.

https://www.microsoft.com/en-us/windows/windows-7-end-of-life-support-information

“Even assume that the NSA is using this vulnerability — why wouldn’t it?”

Any intrusion by NSA, or any other warring factions, or others linked to warring factions, or purports to be anyone of these again, on my computer, would equate to acts of terrorism as far as I am concerned.

Curious January 15, 2020 12:35 PM

I am reading in the comment section on Kreb’s on security, that Windows 7 supposedly got its last patch on Jan. 14, more importnatly that this also included the patch for this vulnerability.

Can anyone please confirm that people that patched on Tuesday, was patched for this vulnerability?

JonKnowsNothing January 15, 2020 12:35 PM

@Curious
re:

Any intrusion by NSA, or any other warring factions, or others linked to warring factions, or purports to be anyone of these again, on my computer, would equate to acts of terrorism as far as I am concerned.

In some parts of the world freedom of thought and belief are still allowed. Believing or thinking that ActX is an act of terrorism may not be supported by your local legal systems.

In many countries “terrorism” is a “I know it when I see it” concept and has no technical legal definition.

Generically LEOs will use that buzz word when they want Big PR. The underneath levels find other ways to pound you into submission.

Besides the LEOs there are the CEOs that intrude daily, hourly, minutely, and by the second into your systems and devices because “we buy stuff that does that”.

That you already allow this by use, by common access, by assent (TOS/EULA), pretty much will negates any legal stance you want to claim.

So, your intrusion is already happening but I don’t think you will get much traction with your assertion in the courts.

see: Windows 10 telemetry
ht tps://en.wikipedia.org/wiki/Windows_10
(url fractured to prevent autorun)

Curious January 15, 2020 12:38 PM

I am now wondering, why oh why would Microsoft have their patch day, being the same day for last day of Win 7 support? If you didn’t somehow get an update by the start of Wednesday, you are so to speak screwed as I understand it.

Maybe I am wrong, but I don’t remember getting any updates on a tuesday from Microsoft, but later. I don’t live in USA, unsure if patch Tuesday is some US thing, or, a global thing.

Security Sam January 15, 2020 12:46 PM

The stallion has just escaped in the meadows
The keymaster is searching in the dark shadows
The core is the reflection of the tinted windows
That stares out at the vast ocean of minnows.

Anders January 15, 2020 1:02 PM

@Curious

I’m sure that w7 will be changed via last updates in serious
yet pointless way so that in near future it will stop working
properly. Kind of time bomb. In the way or another MS had crippled
their previous OS’s before.

One example:

qualapps.blogspot.com/2010/04/visual-c-2010-apps-dont-support-windows.html

And after end of direct support other developers stop supporting older
OS. Like Mozilla.

support.mozilla.org/en-US/kb/end-support-windows-xp-and-vista

So yes, they are FORCING you to upgrade.

Ismar January 15, 2020 3:02 PM

To all those with negative reactions to this news , what exactly is the NSA supposed to do get some positive feedback from you ?

JonKnowsNothing January 15, 2020 3:12 PM

@Anders
re:

So yes, they are FORCING you to upgrade.

Yes and No.

Yes: You must upgrade if you wish to continue to connect to the great pie-in-the-sky works.

No: Technically, you do not have to upgrade, but you won’t be able to do much.

Lots of governments demand, require and mandate you MUST be connected or you cannot access services or apply for things.

  • apply for passports or visa or drivers license
  • apply for retirement or disability programs
  • file updates to programs such as tax returns, mortgages, job applications
  • apply for MD appointments, Rx refills, Video MD, AI/MD (no person just ELIZA)

The list of YOUMUSTDOs is getting pretty long now.

Not that long ago a MD was driven out of business, had their medical license revoked because the MD did not use or have a computer. The MD serviced a rural disadvantage population. While questions about hand written prescriptions were a starting point in the LEOs actions, the end point was No Computer == No MD. Even though the targeted MD agreed to get one, it was Too Little Too Late. The LEOs were missing their required telemetry.

ht tps://en.wikipedia.org/wiki/ELIZA
(url fractured to prevent auto run)

JonKnowsNothing January 15, 2020 3:30 PM

@Ismar
re:

To all those with negative reactions to this news , what exactly is the NSA supposed to do get some positive feedback from you ?

Ok I’ll give it a go:

  1. Maybe have a mass layoff of 100% NSA employees plus layoff 100% all non-government contractors plus layoffs of 100% of all foreign contractors plus removing 100% involvment with all non-USA governments starting with those governments that support human rights abuses in any form.
  2. Plus accepting responsibility for the thousands of wrongly targeted and incarcerated?
  3. Full lifetime compensation for the families, victims and survivors of all surveillance targets.
  4. Release all victims and arrest all NSA personnel involved in targeting, enabling and perpetuating torture, kangaroo courts world wide.
  5. Re-Target their fellow departments like FBI and CIA and bring to justice those that hold the highest positions and ranks to the World Courts where they cannot buy a Pardon or Immunity.
  6. Publish 100% of all files, documents, code and history in public domain ith zero redactions.

I’m sure I could think of some more stuff…

Richard S January 15, 2020 3:46 PM

Either there’s a typo in the article and it’s meant to say this isn’t a zero day because it wasn’t seen in the wild before the patch was released (day zero being the day MS found out, presumably a few weeks or months back) or your implying the NSA probably used it before passing on the info to MS…

JonKnowsNothing January 15, 2020 4:04 PM

@Richard S

A Zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed.

Either:

  • Microsoft didn’t know
  • Microsoft didn’t tell

or

  • NSA didn’t know
  • NSA didn’t tell (until now)

or

  • A 3d Entity didn’t know
  • A 3d Entity didn’t tell (presumably why the NSA is telling now)

ht tps://en.wikipedia.org/wiki/Zero-day_(computing)
(url fractured to prevent autorun)

Sancho_P January 15, 2020 4:33 PM

From the technical side I’m not sure this was a very valuable bug, neither for the average criminal nor the TLAs.
Very valuable for the NSA publicity, though. Change of heart? Unlikely.
Good anyway.

@Curious re Win7
AFAIK Win7 doesn’t know about ECC, the issue is relevant in Win10 and Win server versions only.
Why push from 7 to 10? – Um, money makes the world go round?

Rachel January 15, 2020 5:43 PM

I’ve seen no evidence the ‘patch’ is not by definition malware and this is not an appeal to scare everyone into wilfully installing NSA/Microsoft malware I mean patch, and sincerely believe no such evidence exists

uh, Mike January 15, 2020 10:38 PM

What percentage of ransomware infections do you really think we’re hearing about?
And we’re hearing about a lot.
I’ve personally heard of cases that didn’t get into the news.
Perhaps the NSA is trying to defend the country in a national security emergency.
Crazy, I know.

name.withheld.for.obvious.reasons January 16, 2020 1:00 AM

@ Ismar

To all those with negative reactions to this news , what exactly is the NSA supposed to do get some positive feedback from you ?

Seriously?

Start with Principal law, read and understand the U.S. Constitution. Focus particularly on the 4th Amendment contained within the U.S. Constitution Bill of Rights. Also, understand the 3rd Amendment (I see malware hidden in systems as quartering the military), oh yeah–don’t forget the 1st Amendment of the U.S. Constitution Bill or Rights, the freedom of assembly is destroyed by the directed graph of individuals to make associations.

The antics of NSA also affects pre-censorship of the thoughts of individuals that believe they cannot freely express themselves without the government’s blessing–thus killing legitimate dissent. This last element will destroy any progression the human race may achieve as conformance will be law, not a playground. Bruce knows well what this means, and he has written several treaties on this subject.

Lawyers have so twisted and perverted the interpretation of law beyond belief and reason. When laws say ALL TANGIBLE THINGS how is that limited in scope as defined by the 4th amendment–specific thing and specific location. Does any legal professional understand the the structure of U.S. law is non-permissive. Holes or loopholes that legal pundits attempt to defend process and procedure is not permission–look at the OLC on drone strikes, even the Senate could not know the legal underpinning…of which there is none. Extrajudicial summary execution of citizens, and their children, is not a value endemic to the law as I understand it.

The FISC reports say so much, it shows NSA asks for forgiveness, not permission. Another glaring issue shows the disregard that the agency has towards authorizing bodies; congress has been manipulated (SEE 2008 FAA, 2014 IAA, HR 4186 — section 309), and the courts are treated with outright contempt.

Does anyone at the NSA understand that the primary duty of any member of the Federal government is to “Support and Defend” the United States Constitution. You have lost your way, try finding a way back to your original mission. We, the U.S. citizens are not your targets–period. And, you must consider that others around the world do not share your mission. Focus on “probable cause” not “discovery through collection”.

The NSA sees no corner in the Universe wherein the NSA is not entitled to data in any form, any where, at any time. One should consider that only a deity would claim access to ALL. So if your God, please give Timmy a new leg, and if you are not, don’t act like you are.

Curious January 16, 2020 1:53 AM

@Sancho_P
“AFAIK Win7 doesn’t know about ECC,(…)”

What is that supposed to mean? Are you really suggesting that no internet HTTPS connections made on Windows 7 computers was ever made using elliptic curve cryptography?

That sounds bizarre to me.

Clive Robinson January 16, 2020 3:30 AM

@ uh, Mike,

What percentage of ransomware infections do you really think we’re hearing about?

Like an iceberg on a misty night you would only expect to see the tip of the problem at best.

We rarely get to hear about the woes of most internet users because in the main they say very little and in turn little of that gets said to people who might be interested in making it known more widely.

Put simply people at home who get hit by ransomware have four choices,

1, Throw the computer away.
2, Re-install OS and apps etc.
3, Pay the ransom.
4, Pay someone who will pay the ransom but not tell them.

Depending on how far up the socioeconomic scale they are gives an indicator of how far down the list they are likely to go. But few will pay unless they value the data they had encrypted highly and that’s only a very small percentage.

The first option can be more often seen as “buy a new computer and sort the old one out later” only the old computer never gets sorted out, it ends up getting put in a cupboard etc. The reason is for many people that’s the easy way to deal with the problem.

The economics are easy to see especially if the computer was second hand to start with, or was low cost and out of warranty.

If you took a snap poll of readers hear and ask about the low cost “home computers” they have,

A, Did you make the reinstall DVD?
B, Do you make backups?

The number of yes answers would be smaller than you might expect.

There are several reasons why people don’t backup their computers, for many they don’t see the need, they “USB work”, and don’t even backup their thumbdrives… Others baulk at paying money for “extra hardware” that does nothing and is “not compatable” with other stuff etc etc. But it’s at best a chore and Microsoft have not made it at all easy for home computer users to do backups sensibly[1].

But even if people do backup they often find they can not re-install back to where they where when they need to, for a very long list of reasons. Many of which are easy to solve if you have the knowledge or know where to find the information, which most home users do not.

Which means they have to go find help from someone else, I suspect many readers hear are “tech support” for family, friends and anyone else who can talk them into it, and it’s a thankless task at the best of times.

I’ve no idea what your local “Rent-a-Nerd” prices are but if you take what a minimum wage pays per hour and multiply by five you would probably not be far from wrong as the lowest figure, and that won’t get you much, usually those in stores just “ship back to manufacturer” unless it’s in effect “adding product”. They will almost certainly be especially unhelpfull with ransom ware (they’ve no more chance of cracking encryption than Jo(e) Average.

It’s also true of many self proclaimed “ransomware specialists” unless those writing the ransomware were realy bad at making ransomware, what you basically have is a computer with the equivalent of near “Full Disk Encryption and no encryption key”…

In which case all they can do is what you would do if it were not illegal in most jurisdictions, which is pay the ransom and not tell anyone.

Thus the real trick for a ransomware developer is not programing skills, but the ability to make the ransom as easy as possible for people to pay, but without having a trail lead back to them. Which is rather more difficult than developing the programing skills. Because their are ways to make crypto-currencies tracable such are the properties of the block chain and anti-forgery mechanisms to stop you spending the same coins twice etc.

There is another problem with crypto-currencies, the chances are more people know how to buy illegal booze or drugs than they do crypto-currencies, because they’ve bought illegal substances before or someone they know has/does thus they can ask.

[1] The fly in the ointment of sensible backups has been for many years Microsoft it’s self. The idea of the registry was an abomination and remains so to this day, then there was the idiocy of trying to tie software licrnces to hardware. But as anyone with a not so quiet hard drive knows Microsoft hates the idea of read only with a passion it wants to write over everything as frequently as it can. Worse they have made the problem of splitting what is “system” from what is “user/data” harder for people with “home” machines to do. Then there is what are in effect “compulsory updates” happening when the OS not the user decides. All of which in turn means the average home computer user is way less likely to back their computer up in any sensible way, It’s easier to just throw it away.

Curious January 16, 2020 3:40 AM

@Sancho_P

Hm, I guess you might be right, though I don’t really understand this. As somebody like me who doesn’t know much about crypto, it sounds weird to me, and counter intuitive in this general sense, that Win 7 wouldn’t be have such a vulnerability but then that Windows 10 would, if as it is written in an article I found somewhere:
“Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions.” (https://kb.cert.org/vuls/id/849224/).

Curious January 16, 2020 3:43 AM

@moderator

Would you kindly correct my post just above, and change the bracket signs to <>’s instead?
I promise I will start using the ‘preview’ button after this for making any new comments. 😐

JonKnowsNothing January 16, 2020 3:49 AM

@name.withheld.for.obvious.reasons

re: NSA rehabilitation

There are recent articles that describe the NSA-Syndrome. The aspects are universal and a cure is not forthcoming anytime soon.

In the UK the Counter-terrorism police placed the non-violent group Extinction Rebellion (XR) on a list of extremist ideologies that should be reported to the authorities

“Anti-establishment philosophy that seeks system change

In the US five climate activists, members of Climate Direct Action (known as the Valve Turners) disrupted a pipeline by (doh) Turning Off The Value. They notified the companies of the event, posted videos and waited for the cops.

a group of US environmental activists engaged in non-violent civil disobedience targeting the oil industry have been listed in internal Department of Homeland Security documents as “extremists” and some of its members listed alongside white nationalists and mass killers.

In China recent reports of a mass re-writing of “what’s allowed” is underway. One rewrite of a prominent university’s mission statement removed “freedom of thought”.

In the UK, for more than 20 years a secret police detail of the MET has been targeting women activists and developing sexual relationships including having children with them as part of their deployment. All the men were already married before being deployed and used a charm offensive to gain access to bed, board and inside info, with bonuses and promotions as a reward. More than 100 cops were detailed. All their code names are known; the true names of about 10-20 are known.

All the targeted women belonged to non-violent groups. The MET targeted the women because no one challenges a woman’s boy friend, so the MET undercovers could get fast track access to all the non-violent events planned.

It’s all the same sad story over and over.

Breaking The Constitution and Laws in a perverted attempt to prevent change. Protest IS about system change and non-violent protest is written into the document. That’s the whole point of The Constitution.

It’s just a piece of paper anyway.

ht tps://www.theguardian.com/uk-news/2020/jan/10/xr-extinction-rebellion-listed-extremist-ideology-police-prevent-scheme-guidance

ht tps://www.theguardian.com/environment/2020/jan/13/us-listed-climate-activist-group-extremists
(url fractured to prevent autorun)

wiredog January 16, 2020 5:49 AM

I see so many people complaining about Windows 7 being retired and, guys, it’s an 11 year old system. The hardware changes over the last 11 years alone make keeping it up to date difficult. If you want a system that stays updated with all the latest security patches, forever, without the kernel and major UI components being updated, ever, you’re going to be gravely disappointed. Even Linuxes older than 10 years are unsupported. Well, unless you want to upgrade to a newer kernel and libraries. Which is, well, what happens when you go from Windows 7 to 10.

MarkH January 16, 2020 8:49 AM

@Curious:

Vesselin Bontchev posted a comment (near the top) with a link to nice technical summary of the vulnerability. From that article:

Affected systems: Windows 10, Windows Server 2016 & 2019

According to NSA, the bug was introduced in July 2015.

Yes, many versions of MS Win have a crypt32.dll, but it’s not the same code. The more recent versions accept “customized” elliptic curves, where the previous versions were limited (if I understand correctly) to a table of standard curve parameters.

Interestingly — and frustratingly — the standard for representing ECC public key information in X.509 certificates, RFC 5480, includes the language:

specifiedCurve, which is of type SpecifiedECDomain type (defined in [X9.62]), allows all of the elliptic curve domain parameters to be explicitly specified. This choice MUST NOT be used.

It is precisely this option — all of the elliptic curve domain parameters explicitly specified — which appears to be have created the vulnerability. Microsoft was one of the participants in the drafting of this standard.

Apparently, Mr Winder at Forbes doesn’t accept NSA’s statement about when the bug was introduced. It would seem that either NSA is incorrect about the risk that earlier Windows versions might be affected, or the Forbes article is.

That being said, probably nobody with an internet-connected XP system should “take a deep breath and relax” 😉

me January 16, 2020 9:25 AM

@name.withheld.for.obvious.reasons

To all those with negative reactions to this news , what exactly is the NSA supposed to do get some positive feedback from you ?

-Stop mass surveillance in a credible and auditable manner (i don’t trust their words)
-stop pushing backdoors everywhere
-start behave according to the law instead of ignoring or reinterpreting it at their interest

just to name a few

me January 16, 2020 9:36 AM

@Curious
OMG! there is a preview button i don’t know how this is possible but i never noticed it! thanks a lot!

i hope that the nsa changed their way to act from offensive to defensive but i don’t belive this is going to happen anytime soon…

Anders January 16, 2020 11:25 AM

@SpaceLifeForm

Something interesting for you!
(check those timestamps)

mobile.twitter.com/cyb3rops/status/1217794101988528130?p=v

Clive Robinson January 16, 2020 11:25 AM

@ Wiredog,

The hardware changes over the last 11 years alone make keeping [Win7] up to date difficult.

Depends on which way you look at it.

From my point of view with a couple of 17inch screen laptops that are fully functional and work well, it’s an anoyance that the OS they came with is nolonger supported (they dual boot). They have never had hardware additions because none were necessary, needed or wanted for what they do.

But they have USB2 or better interfaces and supprisingly the mote usefull stuff like “hubs” and “serial adaptors” still work fine along with external SSD, HDs, floppies, tape drives printer/faxes/scanners.

However they run faster and better with a version of Linux that’s not yet two years old.

The big problem as far as I’m concerned is that getting linux off of the front of randomly bought magazines[1] that is for 32bit machines is getting harder, as the few magazines around assume 64bit machines mostly.

Which brings us to the point that all Intel CPU’s have security flaws that are serious and so do most other 64bit CPUs you can get, so buying 64bit gives you no security advantages, infact the very opposit applies the security vulnerabilities of new hardware are considerably worse these days than with hardware of ten twenty or even thirty years ago[2].

One potential security solution is to get away from the big CPU manufacturers, Single Board Computers are supprisingly usable and don’t need Managment Engines and Secure enclaves or WiFi, BlueTooth or similar “go faster stripes”. If you are happy with the command line then even a number of Embedded / Systems on a Chip microcontrolers can run multitasking operating systems well and the development boards sold at almost give away prices.

But “old hardware” is also an issue for “embeded systems” and those built on PC104 cards etc for industrial control systrms (ICS). Where you can have 8086 through 486 based systems still running, and in some cases still buy new boards with compatable chips in.

As far as I am aware the i486 is still “supported” by Linux though some GNU stuff does not. Likewise MINUX 3 claims x86 support (and being in the Intel Managment Engine made it the most used OS at one point).

The last version of Knoppix I downloaded does run on an old 486 with 64Mbyte of RAM and VGA card reasonably well especially in non graphical mode and has supported all the hardware on the machines I have (including a pile of dung 64bit machine that I have been told I have to use for presentations…).

As for 8086 yes I still have some hardware, but it still runs MS-DOS 3 OR 5 depending which floppy I load it from. I’ve heard in the past that there is a Linux look alike OS that is being developed called ELKS for legacy embedded systems.

Also I have quite a collection of older Linux “cover CD’s and even floppies” going back when Slackware was the only game in town. Worse still anyone remember befor MS-DOS 3 and Windows 3? Well I’ve some 5.25 floppies that might make you nostalgic (not 😉 Dare I mention SCO and Netware?… The point is you can keep old hardware going till it finally croaks if you want to and if you are mainly a command line user then yes you can keep on being productive. You can also thanks to the work of Phill Karn KA9Q and others who wrote SLIP and PPP drivers and stacks even network early MS OS’s via the serial port, long before MS filched the BSD IP networking code and retro fitted it to their OS’s (funny even the latest MS OS still feels like networking is a retro-fit).

What you can not do though is safely connect them to the Internet for browsing and the like (not that they would support modern HTML or the 1-120Mbyte Web pages etc that are around these days). Or support more modern “kitchin sink” scripting languages like Python.

I still use many old “thunkers” to act as bottom end tool chain devices to talk to microcomputer development boards of which I have quite a few that don’t have USB or beyond the first version of USB. Likewise several Industrial Control Systems, ATE instruments and “Radio devices” including modems, that like or loath I am expected to support…

So from my point of view “old hardware” is part and parcel of being productive in environments where hardware is expected to function and be supported for way more than a quater of a century, not the “18 months maybe” of modern laptops, tablets and smart devices.

And I guess my oldest PC is in it’s fifth decade now and one or two others will be in a year or two. Oddly they have come back into fashion in various ways…

[1] I’ve explained the possible security advantages of this seemingly odd practice before.

[2] Yes I’m fully aware that the old rule of “There are lies, damn lies and statistics” applies so there is room for argument. But the more “go faster stripes” hardware the manufacturers add especially with the likes of Managment Engines and other faulty security gimmicks like security enclaves etc the more insecure they actually become (due to to much specmanship and complexity amoungst other things). Certainly beyond the point where the US Gov IC and other entities trust them.

Clive Robinson January 16, 2020 12:14 PM

@ MarkH,

Apparently, Mr Winder at Forbes doesn’t accept NSA’s statement about when the bug was introduced.

It’s been quite a few years since I last had a chat over a beer with “Wavey Davey”[1], but he struck me as OK on technology and what was circling it socialy and politically on the security side.

Thus I suspect he might at the very least be “being cautious”. Let me put it this way having seen first hand the tricks that various representatives of the Five-Eyes SigInt agencies got upto on standards committees, I personaly would doubt anything they said to me unless I could get two or three indipendent verifications by uninvolved parties.

But also look at it this way, what has Microsoft said, realy it’s only about the OS’s they support, and Win 7 was not on the day the patches went out the door.

I guess people are going to have to dig deeper into the 32bit Crypto DLL to make sure which versions do or do not have the problem, now there is some POC code out there it becomes possible to check.

Having read both his Forbes articles on the subject, he was clearly expressing caution rather than making a definitive statment.

As for,

Microsoft was one of the participants in the drafting of this standard.

It begs the question of “What where they thinking?” I know there have been stories about them and the NSA being “as thick as thieves” for many years now. But if a standard says “MUST NOT” you would have thought somebody would have said “hey guys are we sure about this?” at some point.

But it also begs the question of those who wrote the standard of “Why put in what you do not want implemented?” after all it is kind of like putting a big red button on the wall and hanging a note off of it that says “do not press”. Why put the button up at all in the first place?..

[1] He apparently has settled on “Happy Geek” according to his autobio, and has a web site to that effect,

https://happygeek.com/

Curious January 16, 2020 1:32 PM

I am curious, how would anybody mount a man in the middle attack with the aim of faking the authentication of, what? anything digitally signed, or digital certificates, with failed authentication of ECC crypto?

Controllling parts of the infrastructure? (state actors that place themselves inbetween you and a website?)
Neighboring hardware? (something inside your own network?)
Spoofing other people’s websites, linking to a fake version?
Anything somehow relying on being digitally signed?
Is it like relying on a bunch of instituted referees or office workers in your workplace/business/organization that are constantly drunk and unable to perform their duties while pretending otherwise while handling sensitive material?
Anything else that is obvious?

What role does the system of relying on certificate authorities play in making this flaw work?

Is it the crypto implementation that is flawed, or is the flaw in the tools that are used for authentication, or both?

Are there perhaps hidden damages, that maybe cannot ever be found out? Like, hidden consequences, even if the flaw is stopped from being exploited from now on. Would one risk, in face of learning of this flaw, having to, start everything from scratch, thinking every data file might be unauthorized and compromised? Could compromized material have been whitewashed even, to further hide or obfuscate possibly suspected range of data files (like maybe based on dates back to estimaged origin of flaw).

Or, am I misunderstanding something here in how there is a vulnerability here?
I ofc, am out of my comfort zone trying to sketch up how to understand this, but I would like to try understand the basics of all of this.

Vesselin Bontchev January 16, 2020 1:34 PM

To clear up some misunderstanding by some people in this thread:

Windows 7 (or 8, or any other version of Windows besides 10) is not vulnerable to this bug.

The bug is caused by Microsoft failing to check correctly the parameters of custom ECC curves. While Windows 7 does “know about ECC”, it does not support custom ECC curves; it supports only named ones.

The same goes about Firefox, BTW. It uses its own certificate verification engine that does not support custom ECC curves, which means that it is not vulnerable to this problem even if running on unpatched Windows 10.

Chrome is vulnerable, but it has some additional restrictions on the root certificate, which means that in order to exploit it (i.e. to spoof an HTTPS certificate on a vulnerable Windows 10 machine), you have to visit the legitimate site first and only afterwards MitM the connection. It’s doable, though, by using some clever scripting.

The issue is mostly of theoretical threat to the individual user. Corporations targeted by a nation-state are more vulnerable to it. No, Microsoft Update cannot be spoofed – but there are other things that download updates and rely on HTTPS and authenticode for protection. But, who am I kidding, many of these corporations can already be pwned by sending them a Word document with a macro inside…

Curious January 16, 2020 1:41 PM

I can’t help but thinking: Playing along the idea of mine, of there being maybe a massive amount of files everywhere being compromised, as if maybe having been tampered with (infiltration and tampering of assets). If there is an ultimate danger of data files in general having been compromised, and maybe all backups as well, maybe it could really be deemed so disastrous that NSA realistically can’t be thought of as being benign even though they appear to have wanted to disclose a vulnerability/exploit? Or, maybe, even, the mere idea of the flaw having publicly disclosed by a military org like NSA, could in itself be considered offensive and provokative, as if intended to sow distrust as a intent to influence and destabilize organizations and industry?

Curious January 16, 2020 1:58 PM

To add to what I wrote:

I guess, instead of sounding dramatic, I guess I wanted to say that I am wondering if there are perhaps irreparable damages to be considerered for such a flaw to even have existed.

Sancho_P January 16, 2020 2:56 PM

@wiredog (re: complaining about Windows 7 being retired)

”Even Linuxes older than 10 years are unsupported. Well, unless you want to upgrade to a newer kernel and libraries. Which is, well, what happens when you go from Windows 7 to 10.”

By far not a Linux (desktop) fan, I don’t think this comparison is fair.
The jump from 7 to 10 is much more than changing the Tux’ heart, the kernel.

Ending support is understandable, but for a widespread OS or SW it must be mandatory to publish the source and to transfer it into public domain when support ends.
Billions have paid, many with their tears, and a lot were criminally forced to pay to Mi$o but didn’t want Win at all.
It’s crystal clear: Rocinante now belongs to us!

Sancho_P January 16, 2020 2:59 PM

@Curious:

You mean something along the line:
“Your honour, I don’t know when or how these files came onto my drives, or probably left them, without my knowledge.
What I know is that I own the physical part of my machine, but not the system.”
?

SpaceLifeForm January 16, 2020 3:00 PM

@ Anders

Interesting timestamps, yes.

I noticed yesterday, an optional win7 update.

KB2310138 Version 1.307.2401.0

It is for Microsoft Security Essentials

The title:

‘Security Intelligence Update for Microsoft Security Essentials’

My parser crashed.

Did not install. Opted for a beer instead.

One other note. Someone who works as a mil subcontractor observed, that while the user has a mil computer and a subcontractor computer on their desk, only the subcontractor computer received the updates.

Which may possibly confirm my theory that inside DOD, the problem was already patched some time before, and it was invisible to the user. NSA does not want to talk about timeframes, but rumour has it that it was discovered 5 years ago.

The KB I noted above may be to watch for attacks, and report back. Windows 7 and 8 do support support ECC (albeit not fully), but attackers may not care or realize.

Even though the problem is allegedly in 10 only because it does not validate the curve parameters correctly, collecting info on attacks targeting/originating win 7 or 8 machines may be useful.

So, that may be the point of the KB for 7.

Need more research.

lurker January 16, 2020 3:44 PM

@Vesselin Bontchev: My browser threw the error, but then I’m not using any version of Windows.
On the subject of certificate checking I’ve recently started using ClawsMail as my mail client, and it tells me (seems like about every 10 days) when Gmail changes its certificates. No other app I ever used to access gmail has noticed this behaviour…

SpaceLifeForm January 16, 2020 4:32 PM

KB2310138

The version I noted is already old.

Security Essentials Updates are fast and furious for an OS version that is no longer supported.

Windows 7 is not dead. It will still download ‘stuff’.

It may not just be a flesh wound.

Late EOL day (2020-01-14 18:47:16), MS put on a web page, that last update was version 1.307.2344.0, I observed 1.307.2401.0, and last check on MS website shows 1.307.2475.0

So, over many updates in 48 hours.

Interesting.

Anders January 16, 2020 5:07 PM

@SpaceLifeForm

There’s another one waiting in line…

2020-01 Servicing Stack Update for Windows 7 for x64-based Systems (KB4536952)

SpaceLifeForm January 16, 2020 7:43 PM

@ Security Sam

I may know who you are, via non-artifical intelligence, via cross correlation.

No ip packets needed.

Just saying, good mix on your prose.

You know who I am. Pretty sure I know you from elsewhere under a different nym.

I may be completely off base here, but if not, then you get my drift.

If I am completely off base, well,you have been warned.

SpaceLifeForm January 16, 2020 7:57 PM

A worthy link

hxxps://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/amp/

SpaceLifeForm January 16, 2020 8:26 PM

@ Anders

Hmmm. Like I said, Win7 not dead.

Here’s an interesting note from the link:

‘The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.’

Why?

https://support.microsoft.com/en-us/help/4536952/servicing-stack-update-for-windows-7-sp1-and-server-2008-r2-sp1

If you dig, you will see they have fixes for 32 bit.

Why?

You can see that they had an EXTREMELY LARGE SET of updates on 2019-12-31.

For both 32 bit and 64 bit.

Why?

Maybe because NSA fixed the source code for MS.

And win7 actually works on 32 bit.

And maybe NSA is not ready to dump win7.

Just saying.

Curious January 17, 2020 2:39 AM

@SpaceLifeForm

I believe Microsoft stopped always listing specific changes long time ago, as if they don’t want you to know what is in an update or something.

Curious January 17, 2020 2:59 AM

Btw, apparently ‘Chain of fools’ is a song title (Aretha Franklin 1967). I guess that was perhaps obvious to everyone, but not to me. Maybe a problem of naming crypto concepts not being original? Or, maybe it wouldn’t be an issue at all.

Curious January 17, 2020 6:00 AM

Apologies for all these questions, I thought they made sense to me, and that they maybe would be of interest.

“Specifically, it is possible to craft a private key for an existing public key, as soon as you are not using the standard generator, but instead can choose any generator. And you can choose you own generator in X.509 certificates by using an “explicit parameters” option to set it.”

From: https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

I wonder if I mis-understand this from the quoted text below. Apologies in advance if I get this wrong, please indulge me not knowing much about crypto.

Q1: It might be possible to simply derive the private key for a certificate based on ECC, given a known public key, and insofar as you are allowed by the make-digital-certificate-software to generate a certificate. But surely that isn’t right, that would be freaky wouldn’t it?

Q2: Would any kind of make-certificate-software, even your own, make deriving the private key possible off a public key based on ECC? Surely this isn’t so?

Q3: Would I be correct in thinking that you can here simply derive the original private key off a known public key? I guess not?

Q4: What role does a ‘private key’ play here anyway, if not that in Q3?

Q5: If one doesn’t simply learn the original private key off of knowing the public key, is one simply able to create a new digital certificate this way, as opposed to, having learned the private key of an existing digital certificate? Did I understand this more correctly now?

Q6: Could the fake private key, simply be a number like 1, something that can be guessed by anyone? Or, equally bad, any other number, that you then can use to decipher data because someone would ofc know the private key?

Q7: How is it even possible to create a private key that matches an existing public key? I guess I intuitively thought that, you sort of couldn’t have multiple private keys for any given private key. Or, is perhaps that a feature that would sort of make private keys more secure, because you can’t end up with a private key by excluding the myriad of combinations of public keys? (On second thought, it looks like this is perhaps explained already in the linked article.)

Q8: Does this all mean, that a lot of encrypted stuff, or, digital certificates, especially for any intermediary certificate ever used, are basically suspect and should be made void (because, anyone could have baked in a known private key into the mix)?

Q8.1: Is it entirely thinkable, that, you could simply replace anyone’s, or, any CA’s digital root certificate, by creating a new digital certificate, and carefully switch the original certificate, with a faked one, and nobody would tell the difference? Or how does that work?

Q8.2 If a cert authority thought it was ok, would it even be possible for them to issue faked certificate to unsuspecting buyers/users? I.e is certificate duplication possible, or is that impossible?

Q9: If an intermediary’s digital certificate was compromised, is this even possible, and how would you ever detect, or even know if this ever happened if you rely on an intermediary certificate? (Admittedly, I still don’t know how digital certificates work.)

Q10: If you rely on a chain of CA’s for your data traffic, is it even possible to detect anyone now or ever having added another bit of chain of faked authortiy, with a “fake” certificate, that could decrypt your data in motion? Maybe combined with state actor, mass storage of all data that is funneled through one or more physical points, where the “fake” CA is being used, so that they can siphon off data as decrypted at some junction?

Q11: If throwing a “fake” CA into the chain for data in motion (or maybe even other data handling relying on processing that maybe isn’t traditionally thought of as data-in-motion), would it be possible to decipher the data, even if you only had knowledge about one private key in one intermediary CA’s digital certifiate. Or am I perhaps misunderstanding how things are encrypted on the fly on the internet with regard to the use of digital certificates and trusting certificate authorities?

Q12: Imagine combining faking auhtentication using a “fake” digital certificate, with, covert/overt tampering of physical documents in a specific location (someone’s office), such that when you check to see if your encrypted data, is actually encrypted with your own private key, maybe you wouldn’t even know if your private key was changed in some subtle way, like being one bit off, in a long string of numbers making up your private key? As if, relying on a piece of paper in a safe or something, where your private key is stored. If nothing else, an opposing party could maybe learn indirectly, whenever you change your own private key inside your office? Then the opposing party would know from when to break into your office, again, to slightly alter their private key at their own location once again? Basically, the idea is that you would end up with having the initiative, for knowing when a party makes changes to their key or key infrastructure? I guess, that way, an opposing party can freely associate a known private key with a known public key, to make sense of Q12 (otherwise they could just covertly collect a lot of unassociated private keys found in your office, but not easily know what they are used for, so by knowing both, an opposing party would know very well when, and what a known private key is used for).

Curious January 17, 2020 6:31 AM

At the risk of repeating myself: I wonder, if you could spoof a digital certificate based on a given/known ‘public key’ and basically be switching out the ‘private key’. Is there a way to detect this having happened at any point, or at all? I guess, if public key crypto rely on authentication based on a public key, then, it seems to me that, it sort of seems risky, if, anyone could switch out the private key and you and others wouldn’t know at all.

Curious January 17, 2020 12:03 PM

If I understood things correctly, I think I read somewhere on Twitter just now, someone claiming that creating a private key to match a given public key, is near instantaneous. So, maybe something that could be done on the fly perhaps? As if you could more easily script an opportunistic attack or something? Not that I would know how any of that would work.

Adi January 17, 2020 12:56 PM

the date stamp in the PDF file name from NSA suggests they have been sitting on and preparing to reveal this “bug” since at least January 2019 if not earlier.

CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

and yes, that date of 2019 01 14 in the file name is most likely not a typo, since we’re talking about NSA here… they don’t do this type of typos when reporting bugs to Microsoft, reviewed and validated by at least 3…5 people.
They probably already milked it for everything they could.

Curious January 17, 2020 1:59 PM

I guess it makes sense to not blindly trust NSA, at any implied or suggested time of discovery of this eh flaw, if there is a risk of there having been a security breach at some earlier point in time. How to make sense of it all, I have no idea, if trying to evalute at what earliest point a security breach might have happened (to whoever think they could have been be subject to such hacking or whatever).

I wonder if it makes sense to speculate if NSA would have wanted to target random entities, for purposes of testing or for creating statistics/surveys. No idea what good that would do though, or what it might mean to try create useful data that way in some random way.

SpaceLifeForm January 17, 2020 4:19 PM

The current possible attack vector requires the attacker to create a malware.msi file (A windows installer file) that is signed with a fake key.

And then, getting a victim to bite on a phish email, where the victim downloads malware.msi, and installs it.

The msi installer may wrongly conclude that it is a legitimate file because the signing key (while fake), appears valid upon following the certificate chain-of-trust.

The first PoC I saw was:

hxxps://mobile.twitter.com/saleemrash1d/status/1217495681230954506

A couple of more came out later.

So, he put his PoC code out

hxxps://github.com/saleemrashid/badecparams

The other obvious attack vector requires a MITM job.

But, there may be other vectors to be discovered. It is early in the process.

Clive Robinson January 17, 2020 7:42 PM

@ SpaceLifeForm, Adi, MarkH,

But, there may be other vectors to be discovered. It is early in the process.

But there is also your earlier point,

Which may possibly confirm my theory that inside DOD, the problem was already patched some time before, and it was invisible to the user. NSA does not want to talk about timeframes, but rumour has it that it was discovered 5 years ago.

Discovered? Hmm maybe, maybe not have a think back to the point @MarkH made about Microsoft and the RFC,

Interestingly — and frustratingly — the standard for representing ECC public key information in X.509 certificates, RFC 5480, includes the language:…

Then if you look at the point @Adi made above,

suggests [the NSA] have been sitting on and preparing to reveal this “bug” since at least January 2019 if not earlier.

Yes it would appear most likely, that there is a lot more to be discovered about this. But based on what we know about this and previous NSA actions, I would be tempted to suggest the following hypothesis,

1) The NSA found the bug or somehow induced Microsoft to put the exploit into the DLL code quite some time before Jan 2019 maybe even early than 2015 so maybe some Win7 systems did get hit by the exploit (maybe the NSA even got Microsoft to send it out to all but a few US Gov entities).

2) The NSA used the exploit in various ways, including via their known “faster to respond” half-MITM system that got revealed via the Ed Snowden information release.

3) The NSA “lost” or had reason to believe they had “lost the exploit” to another entity back some time before Jan 2019. We know that both the NSA and CIA have “lost” their tools due to negligence in the past.

4) The NSA then started taking steps to prepare for the exploit being used by another entity back
befor Jan 2019.

5) In the mean time the NSA carried on using the exploit.

6) The NSA spotted another entity using the exploit against US Gov entities, which might have triggered the Jan 2019 preperation activities.

7) This ment Microsoft preparing a fix for the exploit and releasing it to only some US Gov entities.

8) The knowledge about the exploit became known more generaly, or it’s use ramped up against say US defence contractors, or security equipment suppliers to defence contractors, therefore the NSA told Microsoft to make the fix a general release.

Yes it sounds “incredible” or at least it would if we did not have evidence that most of the steps had happened more than once one way or another in the past.

As I said it’s just a hypothesis extrapolated from what we know, without stretching things too far (though I’m sure that will get discussed/debated 😉

So I guess we will have to wait for more indicative evidence to see how far off the mark each point is in the hypothesis is as we did with the stuxnet predictions about who the real target was (I guessed NK based on what we knew, and eventually that was confirmed). Maybe we should run a friendly sweep stake for “Brownie Points” 😉

Iain W. Bird January 17, 2020 9:22 PM

Just one quick first point to make, is that any suggestion that a secret update has been slipped into the final Windows 7 updates to protect against this; it’s pure poppycock. I fired up an old Windows 7 VM that has had no updates since October 2018. It was not vulnerable.

The suggestion that some people have made that a parent certificate must also be ECC is simply untrue though. Take a look at the SSL cert on this site, and then follow the chain up. The parents are RSA… https://www.tbs-certificates.co.uk/FAQ/en/USERTrust_ECC_CA.html

John Galt January 17, 2020 9:39 PM

@Iain W. Bird

I fired up an old Windows 7 VM that has had no updates since October 2018. It was not vulnerable.

Hmm my first thought was that this was some NSA idea of getting people to rush install Windows 10 in the hopes of getting the patch. Because apparently the free upgrade to Windows 10 is still possible, according to this article:
https://www.zdnet.com/article/heres-how-you-can-still-get-a-free-windows-10-upgrade/

But Win 7 is not even vulnerable then that is of course better news…

Iain W. Bird January 17, 2020 10:42 PM

@John Galt

The cynic inside me says; why would anyone implepment a clause from RFC 5480 that says ‘MUST NOT’? This has already been discussed above.

” The parameter for id-ecPublicKey is as follows and MUST always be
present:

 ECParameters ::= CHOICE {
   namedCurve         OBJECT IDENTIFIER
   -- implicitCurve   NULL
   -- specifiedCurve  SpecifiedECDomain
 }
   -- implicitCurve and specifiedCurve MUST NOT be used in PKIX.
   -- Details for SpecifiedECDomain can be found in [X9.62].
   -- Any future additions to this CHOICE should be coordinated
   -- with ANSI X9.

“–” is a comment in the specification

I used to design parts for nuclear power in a past life.

In another past life I had access to the source code for Windows NT4 and Windows 2000, whilst writing C code for a big USA company that provided high availability software. Lots of high end companies do have access to the source code.

These days I spend all day looking at CVE reports from Rapid7, a bit of pen testing and reverse engineering too, to give advice to protect my clients.

My favourite free tool is RETDEC. Check it out if you don’t know what it is. You can “decompile” the crypt32 DLL and see what changes are in the new one when it gets installed.

MarkH January 18, 2020 1:24 AM

@ Clive, SpaceLifeForm, Adi:

  1. That NSA “sat” on this is surely plausible. However, we probably will have no way to discover this.
  2. If NSA did know, my bet is that the triggering event for disclosure would be any exploit in the wild, whether targeted to government assets or not. NSA has long been concerned with securing civilian data systems against anybody except themselves, which is very much a matter of national security.
  3. Outside their most sensitive core technical activities — at which they’re likely the best in the world (in at least some domains) — NSA is a gang of slobs like any other sprawling white-collar organization. (See the saga of Snowden, Edward.)

Either they really prepared for this disclosure a year in advance for some obscure reason, and then clumsily leaked this awkward fact, with the eventual release date exactly one year to the day in the future … or they clumsily mistyped the recently expired year (which is a fairly frequent clerical mistake in January).

You can guess which kind of clumsiness seems more likely to me!

  1. I also suggest that NSA wouldn’t focus primarily on whether their own exploit (if any) might have leaked. Most of us assume that their network surveillance is extremely broad; if somebody started exploiting such a vector, they’d likely discover that very quickly. Whether the exploit was consequent to a leak, or independent discovery, would be immaterial to their response.

Curious January 18, 2020 11:53 AM

@Lots.of.nuts.here

Well, I hope nobody think less of this blog because of me. I don’t have to write anything here, but most other websites are a hassle and often requiring logging into FB and such, or, explicitly requiring using your own name. My forte certainly isn’t knowledge of crypto stuff but other things like philosophy and to some extent language in general, but I think computer security in general is fairly interesting. It looks mostly like a shitshow though. To me, such is both horrific and amusing.

20 years ago, I couldn’t care less for privacy related issues on the net, I was busy with other things and I guess I hardly had an opinion on the subject. Today, things seem bleak and terrible, but at least I care a lot more about privacy. I probably wouldn’t care at all if it wasn’t for all the people writing on the subject up to this point on the internet, or otherwise showing an interested in it, because apparently I can’t rely on my local newspapers to offer insights into privacy, or computer security related issues, because local newspapers aren’t any good in that regard I think.

I like to think that I try to sound unpretentious, so that it isn’t coming across as being strongly opinionated about things I don’t know much about.

Feel free to elaborate.

SpaceLifeForm January 18, 2020 2:08 PM

@ MarkH, Clive, Adi

I think we are all on the same page.

I have zero reason to discount any probability that cve-2020-0106 was not intentionally introduced.

I think this may be about the Shadow Brokers. The timing fits pretty well.

SpaceLifeForm January 18, 2020 2:39 PM

@ Clive, MarkH, Adi

I would not conclude that NSA coerced MS to plant the hole.

It may be due to a double agent.

Spy vs Spy.

Where are those Shadow Brokers anyway?

SpaceLifeForm January 18, 2020 3:04 PM

@ MarkH, Clive, Adi

“Most of us assume that their network surveillance is extremely broad; if somebody started exploiting such a vector, they’d likely discover that very quickly. Whether the exploit was consequent to a leak, or independent discovery, would be immaterial to their response.”

Agree. I would not conclude that the response would be fast and furious.

I’m sure they discovered it via traffic analysis, but would not respond immediately.

Much more important to find who was using the flaw. So, they sit, wait, collect data.

How many honeypots required?

Bo Bolinski February 11, 2020 8:31 PM

Everyone knows the NSA are a beneficient, lovely, heart-warming group of nice people who care for us all and want to come to your home to love you and your family. What’s the problem? Let them in and give them tea and biscuits. Give them a bed for the night. Introduce them to your granny and your young children…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.