• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Serious security vulnerability in a core cryptographic component present in all versions of Windows

P4-630

P4-630

Joined
Jan 5, 2006
Messages
18,584 (2.63/day)
System Specs
System Name AlderLake
Processor Intel i7 12700K P-Cores @ 5Ghz
Motherboard Gigabyte Z690 Aorus Master
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory 32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s) MSI RTX 2070 Super Gaming X Trio
Storage Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p
Case Be quiet! Silent Base 600 - Window
Audio Device(s) Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply Seasonic Focus Plus Gold 750W
Mouse Logitech MX Anywhere 2 Laser wireless
Keyboard RAPOO E9270P Black 5GHz wireless
Software Windows 11
Benchmark Scores Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

 
I just read that article. While this is a valid concern, there aren't many programs that actually use that DLL anymore. It should be noted, the version contained in Windows 7 does not contain the vulnerability. Windows 8 and 8.1 seemingly do.
 
Last edited:
Waiting on the accusations of m$ bashing that will come with this article.

There has been a many threats to windows via the digital certificates. I recall a while ago something about a threat being able to download a fake cert from a fake server, i forget the details, might have been windows XP or Vista era.
 
lexluthermiester said:
I just read that article. While this is a valid concern, there aren't many programs that actually use that DLL anymore. It should be noted, the version contained in Windows 7 does not contain the vulnerability. Windows 8 and 8.1 seemingly do.
Click to expand...

What? This affects back to NT4 and almost ANYTHING that uses cryptography in windows uses crypt32.

EDIT: Nevermind, depends on configuration of ecc curves. Win10+ only. Was going by initial article text.
 
R-T-B said:
What? This affects back to NT4 and almost ANYTHING that uses cryptography in windows uses crypt32.
Click to expand...
This vulnerability is version dependent as changes to it since Windows 7 Windows 8.1 are what caused the problem. If you read the NSA provided PDF at the bottom of the article, more details are provided. They specifically state that Windows 10 and Server 2016/2019 are affected. The NSA does not adhere to Microsoft's product lifecycle roadmaps and are obligated by law to disclose any and all affected platforms regardless of vendor support. They listed only those Windows versions so only those are affected by this vulnerability. The devil is in the details.

Additionally, the Carnegie Mellon University research page specifically states;
"Microsoft Windows versions that support certificates with ECC keys that specify parameters are affected. This includes Windows 10 as well as Windows Server 2016 and 2019. Windows 8.1 and prior, as well as the Server 2012 R2 and prior counterparts, do not support ECC keys with parameters. For this reason, such certificates that attempt to exploit this vulnerability are inherently untrusted by older Windows versions. "

CERT/CC Vulnerability Note VU#849224

Microsoft Windows CryptoAPI fails to properly validate ECC certificate chains
kb.cert.org kb.cert.org
 
Last edited:
lexluthermiester said:
This vulnerability is version dependent as changes to it since 7 are what caused the problem. If you read the NSA provided PDF at the bottom of the article, more details are provided. They specifically state that Windows 10 and Server 2016/2019 are affected. The NSA does not adhere to Microsoft's product lifecycle roadmaps and are obligated by law to disclose any and all affected platforms regardless of of vendor support. They listed only those Windows versions so only those are affected by this vulnerability. The devil is in the details.
Click to expand...

Yeah, caught myself in an edit. Should know better than to trust article text, lol.
 
You must log in or register to reply here.
Back
Top