
Microsoft will patch Windows 10 after NSA told it about a major vulnerability - rexbee
https://www.cnbc.com/2020/01/14/microsoft-to-patch-windows-10-after-nsa-finds-vulnerability.html
======
mzs
crypt32.dll

>Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this
morning that the agency did indeed report this vulnerability to Microsoft, and
that this was the first time Microsoft will have credited NSA for reporting a
security flaw. Neuberger said NSA researchers discovered the bug in their own
research, and that Microsoft’s advisory later today will state that Microsoft
has seen no active exploitation of it yet.

>According to the NSA, the problem exists in Windows 10 and Windows Server
2016. Asked why the NSA was focusing on this particular vulnerability,
Neuberger said the concern was that it “makes trust vulnerable.” The agency
declined to say when it discovered the flaw, and that it would wait until
Microsoft releases a patch for it later today before discussing further
details of the vulnerability.

[https://krebsonsecurity.com/2020/01/cryptic-rumblings-
ahead-...](https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-
first-2020-patch-tuesday/)

------
rurban
Looks like another ASN1 parser vulnerability.

[https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA...](https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-
WINDOWS-10-CRYPT-LIB-20190114.PDF)

Nope, even worse. They apparently didn't check the base point:
[https://news.ycombinator.com/item?id=22047573](https://news.ycombinator.com/item?id=22047573)

