back to article Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched

Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai's researchers. CryptoAPI helps developers secure Windows-based apps using cryptography …

  1. Anonymous Coward
    Anonymous Coward

    Given the announced O365 survey, security updates are now (more) suspect..

    As MS has announced it will start adding things to what they formerly alleged to be "purely" security updates I think more and more companies will start getting wary about just what they're installing.

    So, on top of the weekly gamble with uptime they now also get the problem of possibly adding intercept capabilities, and as those are produced by Microsoft they can't exactly be sure that those are properly locked down either..

  2. that one in the corner Silver badge

    assumption that the .. cache ..., MD5-based, is collision-free

    Huh? That is a lousy assumption to make, no matter *what* hash you use to index a cache, you can *never* assume it is collision-free!

    Trivially, every hash will generate collisions, it is inevitable: reducing every single input to a fixed-size hash of k bits means that as soon as the world has processed 2^k + 1 inputs there *must* have been at least one collision. The point at which there is a 50% chance of hitting a collision is a far, far smaller number than 2^k

    2^k may be a huge number, but it is not a guarantee that no collisions can occur. So that cache was going to break for someone, somewhere, even without any malicious intent. It was just a low probability that it would be *your* system that was impacted today.

    Certainly hope that no other code is using a cryptographic hash as an index and assuming that the results are unique <cough>

    Remember, breaking a hash, the way MD5 was broken, just means that the task of *finding* a collision with a specific target is a lot easier (trivial, even); it doesn't mean that such collisions are impossible.

    1. FlamingDeath Silver badge

      Re: assumption that the .. cache ..., MD5-based, is collision-free

      Now now there, you're imagining a world of software engineers, asking themselves "what if"

      What we're witnessing in the software world, clearly shows nobody is asking these pertinent questions

      Programmer: Hey everybody look at my new program, it does x y and z

      Everybody: What else does it do?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like