
Windows CryptoAPI Spoofing Vulnerability - guidovranken
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601
======
K0nserv
Note that this does not seem to be limited to software signing, but affects
all X.509 certificates[0]. This means it can be used for example to man in the
middle HTTPS connections.

0:
[https://mobile.twitter.com/taviso/status/1217146026923978752](https://mobile.twitter.com/taviso/status/1217146026923978752)

------
CiPHPerCoder
Page isn't loading, but it was archived.

[https://archive.md/tykYn](https://archive.md/tykYn)

------
guidovranken
Context: This is an anticipated vulnerability reported to Microsoft by the
NSA, patched today as part of patch Tuesday.

Related thread:
[https://news.ycombinator.com/item?id=22039481](https://news.ycombinator.com/item?id=22039481)

------
Arnavion
I'm surprised to not see patches for Windows 7 and 8.1 (vuln is rated
"important", 7 ends extended support today, 8.1 still has 3 years to go, so
both should've qualified). I guess the vulnerability is new in Windows 10?

~~~
danielki
Win10 added support for Brainpool and Curve25519 ECC Curves [0], so this might
be where the vulnerability lies

[0] [https://docs.microsoft.com/en-us/windows-
server/security/tls...](https://docs.microsoft.com/en-us/windows-
server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)

------
kjaftaedi
Spoofed code signing certificate?

This sounds more like a key leak than a code exploit, no?

