Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws... In the first Patch Tuesday of the year, Microsoft finds itself joined by Adobe, Intel, VMware, and SAP in dropping scheduled security updates. 49 fixes from Microsoft This month's Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond's Windows Remote Desktop Protocol software. Two of the …
Perhaps they got wind that a whistleblower was about to publically disclose that the NSA had been aware of it and were actively exploiting it, and the NSA simply wanted to pre-empt this scenario and try to come of it out looking like the Good Guys?
BBC: Windows 10: NSA reveals major flaw in Microsoft's code
"The US National Security Agency (NSA) has discovered a major flaw in Windows 10 that could have been used by hackers to create malicious software that looked legitimate."
Isn't the whole point of Windows 10 that it *is* malicious software that's designed to look legitimate ?
Maybe Microsoft have just moved the bug somewhere else - it's patched to prevent anyone accessing the public hole.
Given that Microsoft have been release "bug-fixes" every month for years now, how good do you think their coding is? The best approach, as a user, is to assume that everything is hacked these days.
Yes. This is sometimes known as an "exploit pool collision". There's a good (long) report from RAND from a couple of years ago on 0-days which discusses government 0-day hoarding at length, including disclosure strategies.
The value of an unpublished 0-day drops as more hoarders discover it (or learn about it through leaks, purchase it on the exploit market, etc). Eventually there's more value in getting it fixed.
I'm a little confused as to why the NSA would want to plug this hole?
Because they found someone else using it?
The NSA found the vulnerability, but haven't said what they were looking at when they found it.
First commandment: You shall have no other people spying on you before me.
It is a bit like google securing your metadata, they do not want anyone else to have access, except for google in the case of google.
Microsoft, google, yahoo, facebook, paltalk, youtubre, skype, AOL and Apple were all in the the leaked PRISM slides as data collection sources.
> Seems they have a lot to gain and little to lose leaving it there.
They have probably found out (a) a new zero day hole, and/or (b) others have discovered this hole and are using it (possibly against NSA/allied systems).
At the point where your adversaries know and exploit the vulnerabilities you know about (or just defend from them), that is the time you should patch it and move to some other zero-day exploit,
The NSA also has a mandate to defend against threats, it is a balance between knowing vulnerabilities (to exploit others) and disclosing them to be fixed.
I'm sure the NSA has a whole library of them, but until one is found out by someone else why would they use a new one when the old one works fine? Because once you start using one, it increases the chances that it will be reverse engineered by someone looking into what happened or escape into the wild by a careless black bagger.
<tinfoilhat>
From NSA advisory:
Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign. For example, the curve OID value for standard curve nistP384 is 1.3.132.0.34. Certificates with explicitly-defined parameters (e.g., prime, a, b, base, order, and cofactor) which fully-match those of a standard curve can similarly be ruled benign.
---
So basically the unexplained magic numbers in the published standard are totally secure.
Hmmm. I'm sure I've seen this movie before ...
</tinfoilhat>
Too many Linux users seem to have this assumption that their OS is immune from security issues. This is worrying. I have to manage a mixed fleet of machines and at least I know when and where to look for MS updates.
By far the worst security flaw I have seen in the last few years is the issue on Citrix ADC/NetScaler reported in December. It is the only flaw I have seen actively exploited recently. A clients appliance was hit over the weekend as we were still waiting for approval to apply the mitigation. This happened almost as soon as exploit code was made public. Although not Linux it is Apache running on FreeBSD, another supposedly secure FOSS combination.
No matter which OS you run, if you don't patch you are in danger of being compromised. Sticking your fingers in your ears and going "LA LA LA Linux" is a poor way of managing machines.
Simple economics. there is more to gain by researching MS desktop / server flaws then any other O/S
Market Share!
I wish MS haters would present valid arguments.
When Amazon or Linux deliver market share wining desktop services it is very likely that the criminals will direct their attention
Remember: Regardless of O/S it runs on a common CPU architecture. If man builds it man can break it.
As for NSA? eternal blue anyone !
Yeah dude we know.
Every day, we have to make decisions on what stories to write up: what can be completed in time before something gets too old. Stuff has to be prioritized. There also has to be a healthy mix of stories, it can't all the the same stuff everyday.
So if there are enough Linux world patches to fill a monthly roundup, then that may be the best way to summarize it, because we may not have the time or people to write a story every time a patch arrives.
Obviously, the latency in rounding up the patches is non-optimal, and critical ones could be written up immediately because they prioritize over other stories.
C.
You got it wrong.
It's install MS updates > reboot > reboot > make cuppa > reboot > make 2nd cuppa > finished? > broken.
In contrast, I get a single window on Ubuntu telling me there's updates for X/Y/Z, tell it to install and forget about it immediately.
(The more I use Linux, the more I find I like it...)
Which version of Windows are you still using? 0.1? It clearly looks you are just repeating someone else's trolling without any actual knowledge of Windows updates since at least Windows XP. But keep on trolling, you have to convince yourself you did the right move to use Linux, as most Linux users, you look to need continuous self-assurance enforcement....
"So if there are enough Linux world patches to fill a monthly roundup"
The point is that there aren't. A while back when we had HeartBleed etc there were a good few security patches and a lot of activity following the story you broke on Intel leakage. There are probably a lot of patches come through on bleeding edge distros but for the likes of Debian stable releases not much which suggests security patches are few and far between. Now does that mean that either (a) people have reverted to neglecting such things or (b) development practices have moved on and security has become part of the initial build? Whether or not you think there's scope for a story in there there's certainly scope for comment.
>The point is that there aren't.
I would hold back on being smug until a year or so after the "year of the Linux desktop" at which point we can expect people to have looked more seriously at exploiting Linux and discover vulnerabilities that have been there for years or decades...
Here's today's patches for Ubuntu and Atom:
atom/any 1.43.0 amd64 [upgradable from: 1.42.0]
gir1.2-snapd-1/disco-updates 1.49-0ubuntu0.19.04.1 amd64 [upgradable from: 1.49-0ubuntu0.19.04.0]
libsnapd-glib1/disco-updates 1.49-0ubuntu0.19.04.1 amd64 [upgradable from: 1.49-0ubuntu0.19.04.0]
"Despite Uncle Sam's dire warnings, Microsoft said there is no evidence of the flaw being targeted in the wild"
This *is* a very, very, very, serious flaw. If you own DNS (wifi AP for example) you can MitM lots of things to gather credentials (yum!)
I wouldn't know where to start with an RDP flaw unless someone posts enough code for me to copy n paste. This I could probably exploit simply by having the skills of a halfway decent sysadmin. I can easily (it'll take a little time) run up a webserver with fake login pages, I could run up enough IMAPS/POPS/SMTPS to gather creds and I could run up Squid and setup WPAD, DHCP, and so on to grab some more creds.
Patch the bugger on anything that leaves the home or office right now and do the rest as and when.
>The difference is that going forward, these bugs will get fixed in Windows 10. Not so on Win7.
Win7 was included in the Jan-14 Patch Tuesday, so these specific bugs have been fixed...
Given MS's patch cycle, Win7 only really starts becoming more vulnerable after Feb's Patch Tuesday when MS can be expected to only release patches for W10, unless you have a ESU licence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
