Hacker News new | past | comments | ask | show | jobs | submit login
Windows CryptoAPI Spoofing Vulnerability (microsoft.com)
32 points by guidovranken 9 days ago | hide | past | web | favorite | 7 comments

Note that this does not seem to be limited to software signing, but affects all X.509 certificates[0]. This means it can be used for example to man in the middle HTTPS connections.

0: https://mobile.twitter.com/taviso/status/1217146026923978752

Page isn't loading, but it was archived.


Context: This is an anticipated vulnerability reported to Microsoft by the NSA, patched today as part of patch Tuesday.

Related thread: https://news.ycombinator.com/item?id=22039481

I'm surprised to not see patches for Windows 7 and 8.1 (vuln is rated "important", 7 ends extended support today, 8.1 still has 3 years to go, so both should've qualified). I guess the vulnerability is new in Windows 10?

Win10 added support for Brainpool and Curve25519 ECC Curves [0], so this might be where the vulnerability lies

[0] https://docs.microsoft.com/en-us/windows-server/security/tls...

Microsoft ended support for Windows 7 today. The consensus is that older systems are vulnerable, but not supported by the patch.


Spoofed code signing certificate?

This sounds more like a key leak than a code exploit, no?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact