back to article Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...

In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates. 49 fixes from Microsoft This month's Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond's Windows Remote Desktop Protocol software. Two of the …

  1. Zarno Bronze badge

    Confusing.

    I'm a little confused as to why the NSA would want to plug this hole?

    Seems they have a lot to gain and little to lose leaving it there.

    1. NetBlackOps Bronze badge

      Re: Confusing.

      Think about all the government machines out there and those with personal access, as in my case, to DoD networks.

      1. RunawayLoop

        Re: Confusing.

        Hacking commencing in 3...2....1....

        1. NetBlackOps Bronze badge

          Re: Confusing.

          Same thing I've said to the what, me sorry crowd. Reversing this will not be that hard given that the tools to do so are fairly.decent these days.

    2. Anonymous Coward
      Anonymous Coward

      Re: Confusing.

      @Zamo

      "intercepting secure network communications" is their job - not anyone else's.

      ;)

    3. Benchops

      Re: Confusing.

      They clearly have other methods of installing software or intercepting encrypted comms. They must have deemed this one too obvious...

    4. Anonymous Coward
      Boffin

      Re: Confusing.

      Others may have found out about it and were starting to use it. They would keep it secret so long as only they are aware of it, but want it fixed once others find out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Confusing.

        Perhaps they got wind that a whistleblower was about to publically disclose that the NSA had been aware of it and were actively exploiting it, and the NSA simply wanted to pre-empt this scenario and try to come of it out looking like the Good Guys?

        BBC: Windows 10: NSA reveals major flaw in Microsoft's code

        "The US National Security Agency (NSA) has discovered a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate."

        Isn't the whole point of Windows 10 that it *is* malicious software that's designed to look legitimate ?

        1. Version 1.0 Silver badge

          Re: Confusing.

          Maybe Microsoft have just moved the bug somewhere else - it's patched to prevent anyone accessing the public hole.

          Given that Microsoft have been release "bug-fixes" every month for years now, how good do you think their coding is? The best approach, as a user, is to assume that everything is hacked these days.

      2. Michael Wojcik Silver badge

        Re: Confusing.

        Yes. This is sometimes known as an "exploit pool collision". There's a good (long) report from RAND from a couple of years ago on 0-days which discusses government 0-day hoarding at length, including disclosure strategies.

        The value of an unpublished 0-day drops as more hoarders discover it (or learn about it through leaks, purchase it on the exploit market, etc). Eventually there's more value in getting it fixed.

    5. Smooth Newt Silver badge
      Happy

      Re: Confusing.

      I'm a little confused as to why the NSA would want to plug this hole?

      Because they found someone else using it?

      The NSA found the vulnerability, but haven't said what they were looking at when they found it.

      First commandment: You shall have no other people spying on you before me.

    6. Anonymous Coward
      Anonymous Coward

      Re: Confusing.

      It is a bit like google securing your metadata, they do not want anyone else to have access, except for google in the case of google.

      Microsoft, google, yahoo, facebook, paltalk, youtubre, skype, AOL and Apple were all in the the leaked PRISM slides as data collection sources.

    7. Ogi

      Re: Confusing.

      > Seems they have a lot to gain and little to lose leaving it there.

      They have probably found out (a) a new zero day hole, and/or (b) others have discovered this hole and are using it (possibly against NSA/allied systems).

      At the point where your adversaries know and exploit the vulnerabilities you know about (or just defend from them), that is the time you should patch it and move to some other zero-day exploit,

      The NSA also has a mandate to defend against threats, it is a balance between knowing vulnerabilities (to exploit others) and disclosing them to be fixed.

      1. Anonymous Coward
        Anonymous Coward

        "A" new zero day hole?

        I'm sure the NSA has a whole library of them, but until one is found out by someone else why would they use a new one when the old one works fine? Because once you start using one, it increases the chances that it will be reverse engineered by someone looking into what happened or escape into the wild by a careless black bagger.

    8. NoneSuch Silver badge
      Devil

      Re: Confusing.

      Simple. The NSA had it in their zero day vault for quite some time. Then they found out North Korea or China had it as well and decided then that the public needed to know.

    9. Adam 1

      Re: Confusing.

      <tinfoilhat>

      From NSA advisory:

      Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign. For example, the curve OID value for standard curve nistP384 is 1.3.132.0.34. Certificates with explicitly-defined parameters (e.g., prime, a, b, base, order, and cofactor) which fully-match those of a standard curve can similarly be ruled benign.

      ---

      So basically the unexplained magic numbers in the published standard are totally secure.

      Hmmm. I'm sure I've seen this movie before ...

      </tinfoilhat>

  2. JakeMS
    Unhappy

    Linux?

    No major Linux related security issues yet? :-|. Me and my tux are feeling a little left out over here :-(.

    1. gerdesj Silver badge
      Linux

      Re: Linux?

      "No major Linux related security issues yet?"

      I run Arch on nearly everything I touch that doesn't have Ubuntu on it but we cannot be complacent. Your OS choice should be only one component in "defence in depth", not all of it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Linux?

      Have you even looked?

      https://www.linuxcompatible.org/story/linux-security-roundup-for-week-2-2020/

      1. Anonymous Coward
        Anonymous Coward

        Re: Linux?

        Too many Linux users seem to have this assumption that their OS is immune from security issues. This is worrying. I have to manage a mixed fleet of machines and at least I know when and where to look for MS updates.

        By far the worst security flaw I have seen in the last few years is the issue on Citrix ADC/NetScaler reported in December. It is the only flaw I have seen actively exploited recently. A clients appliance was hit over the weekend as we were still waiting for approval to apply the mitigation. This happened almost as soon as exploit code was made public. Although not Linux it is Apache running on FreeBSD, another supposedly secure FOSS combination.

        No matter which OS you run, if you don't patch you are in danger of being compromised. Sticking your fingers in your ears and going "LA LA LA Linux" is a poor way of managing machines.

        1. Anonymous Coward
          Anonymous Coward

          Re: Linux?

          Simple economics. there is more to gain by researching MS desktop / server flaws then any other O/S

          Market Share!

          I wish MS haters would present valid arguments.

          When Amazon or Linux deliver market share wining desktop services it is very likely that the criminals will direct their attention

          Remember: Regardless of O/S it runs on a common CPU architecture. If man builds it man can break it.

          As for NSA? eternal blue anyone !

    3. diodesign (Written by Reg staff) Silver badge

      Re: Linux?

      If the Linux world had a Patch Tuesday, we'd cover it. Maybe we should invent Patch Monday for GNU/Linux and other open-source operating systems.

      C.

      1. Doctor Syntax Silver badge

        Re: Linux?

        The patches are sent out as and when necessary. No hoarding them for a few weeks. I haven't seen many recently, though.

        1. diodesign (Written by Reg staff) Silver badge

          "The patches are sent out as and when necessary"

          Yeah dude we know.

          Every day, we have to make decisions on what stories to write up: what can be completed in time before something gets too old. Stuff has to be prioritized. There also has to be a healthy mix of stories, it can't all the the same stuff everyday.

          So if there are enough Linux world patches to fill a monthly roundup, then that may be the best way to summarize it, because we may not have the time or people to write a story every time a patch arrives.

          Obviously, the latency in rounding up the patches is non-optimal, and critical ones could be written up immediately because they prioritize over other stories.

          C.

          1. Anonymous Coward
            Anonymous Coward

            Re: "The patches are sent out as and when necessary"

            I don't think it will drive much traffic for the 5 people using Linux... the millions of Windows trolls though.

            /JK! I'm also using Linux, so I know there's at least 6 of us.

            1. Fading Silver badge
              Mushroom

              Re: "The patches are sent out as and when necessary"

              Cough - at least 7. The big difference between MS patches and Linux patches (in my humble experience) is as follows: Deploy Linux patch - everything still works. Deploy MS patch and wait for the screams.......

              1. Anonymous Coward
                Anonymous Coward

                Re: "The patches are sent out as and when necessary"

                See above. It's far easier to manage patching for 5 users instead of 50000.

                Servers too usually run far less different software, often quite stable releases, and are configured more carefully.

              2. hakuli

                Re: "The patches are sent out as and when necessary"

                You got it wrong.

                It's install MS updates > reboot > reboot > make cuppa > reboot > make 2nd cuppa > finished? > broken.

                In contrast, I get a single window on Ubuntu telling me there's updates for X/Y/Z, tell it to install and forget about it immediately.

                (The more I use Linux, the more I find I like it...)

                1. Anonymous Coward
                  Anonymous Coward

                  Re: "The patches are sent out as and when necessary"

                  Which version of Windows are you still using? 0.1? It clearly looks you are just repeating someone else's trolling without any actual knowledge of Windows updates since at least Windows XP. But keep on trolling, you have to convince yourself you did the right move to use Linux, as most Linux users, you look to need continuous self-assurance enforcement....

                  1. hakuli
                    Trollface

                    Re: "The patches are sent out as and when necessary"

                    You got the numbers right, just the wrong way round and with a superfluous full stop... but please, do keep making sweeping generalisations about the alternately-OS'd, won't you?

          2. Doctor Syntax Silver badge

            Re: "The patches are sent out as and when necessary"

            "So if there are enough Linux world patches to fill a monthly roundup"

            The point is that there aren't. A while back when we had HeartBleed etc there were a good few security patches and a lot of activity following the story you broke on Intel leakage. There are probably a lot of patches come through on bleeding edge distros but for the likes of Debian stable releases not much which suggests security patches are few and far between. Now does that mean that either (a) people have reverted to neglecting such things or (b) development practices have moved on and security has become part of the initial build? Whether or not you think there's scope for a story in there there's certainly scope for comment.

            1. Roland6 Silver badge

              Re: "The patches are sent out as and when necessary"

              >The point is that there aren't.

              I would hold back on being smug until a year or so after the "year of the Linux desktop" at which point we can expect people to have looked more seriously at exploiting Linux and discover vulnerabilities that have been there for years or decades...

            2. Anonymous Coward
              Anonymous Coward

              Re: "The patches are sent out as and when necessary"

              This site does a weekly roundup:

              https://www.linuxcompatible.org/story/linux-security-roundup-for-week-2-2020/

      2. storner

        Every day is patch day

        Linux Weekly News lwn.net summarizes the security updates issued by various Linux distributions. There usually is a handful every day.

    4. BonezOz

      Re: Linux?

      Here's today's patches for Ubuntu and Atom:

      atom/any 1.43.0 amd64 [upgradable from: 1.42.0]

      gir1.2-snapd-1/disco-updates 1.49-0ubuntu0.19.04.1 amd64 [upgradable from: 1.49-0ubuntu0.19.04.0]

      libsnapd-glib1/disco-updates 1.49-0ubuntu0.19.04.1 amd64 [upgradable from: 1.49-0ubuntu0.19.04.0]

  3. gerdesj Silver badge
    Gimp

    Danger Will Robinson

    "Despite Uncle Sam's dire warnings, Microsoft said there is no evidence of the flaw being targeted in the wild"

    This *is* a very, very, very, serious flaw. If you own DNS (wifi AP for example) you can MitM lots of things to gather credentials (yum!)

    I wouldn't know where to start with an RDP flaw unless someone posts enough code for me to copy n paste. This I could probably exploit simply by having the skills of a halfway decent sysadmin. I can easily (it'll take a little time) run up a webserver with fake login pages, I could run up enough IMAPS/POPS/SMTPS to gather creds and I could run up Squid and setup WPAD, DHCP, and so on to grab some more creds.

    Patch the bugger on anything that leaves the home or office right now and do the rest as and when.

  4. Benchops

    WHERE'S

    THE LOGO? I've been following all the links and I haven't found a logo yet!

  5. steviebuk Silver badge

    So...

    ... we're told to "Get off Windows 7 from Tuesday 14th Jan or the world will end and your bank account will be cleared out." Only to find there are also RDP bugs in Windows 10 and cert ones. Nice.

    1. storner

      Re: So...

      The difference is that going forward, these bugs will get fixed in Windows 10. Not so on Win 7.

      But of course, the only secure computing device is one that is powered down, all cables unplugged and put inside a Farady cage...

      1. Snapper

        Re: So...

        But of course, the only secure Windows device is one that is powered down, all cables unplugged and put inside a Farady cage...

        There, fixed it for ya!

      2. Roland6 Silver badge

        Re: So...

        >The difference is that going forward, these bugs will get fixed in Windows 10. Not so on Win7.

        Win7 was included in the Jan-14 Patch Tuesday, so these specific bugs have been fixed...

        Given MS's patch cycle, Win7 only really starts becoming more vulnerable after Feb's Patch Tuesday when MS can be expected to only release patches for W10, unless you have a ESU licence.

    2. macjules Silver badge

      Re: So...

      Travelex will be happy to hear that the RDP flaws have been fixed. Or not.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020