NSA Discovers Major Cryptographic Security Flaw Present in "All Versions of Windows"

Tsing

The FPS Review
Staff member
Joined
May 6, 2019
Messages
11,075
Points
83
Amusingly enough, Windows 7's EOL date has coincided with a great reason to upgrade from the aging operating system. Krebs on Security received word of a major security vulnerability yesterday involving crypt32.dll, a Windows module present on all versions of the OS since NT 4.0.

Sources claimed that there was a critical vulnerability in the component that "could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools." It also allowed attackers to spoof digital signatures, meaning that malware could be made to look legitimate.

The security flaw was largely hush-hush until the NSA's media call today, in which Director of Cybersecurity Anne Neuberger announced the bug and outlined it in a two-page document ("Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers"). Everything was kept under wraps because it was deemed a serious "cybersecurity issue" that "makes trust vulnerable." This happens to be the first security flaw reported to Microsoft by the NSA.

Microsoft has already pushed out a patch for this (CVE-2020-0601), which can be applied to all versions of Windows 10, Windows Server 2016/2019, and Windows Server version 1803/1903/1909. Again, this incident is new ammo for those who think Windows 7 users are crazy for sticking to an older OS.

ZDNet has compiled a full list of the 49 vulnerabilities addressed by today's Patch Tuesday fixes.
 
Yeah, the NSA just wants to upgrade their backdoors to w10... They are probably tired of having to use 2 or 3 different backdoors depending on the OS... Its just plain lazy!!
 
those of you responsible for protecting customer data get on this one. Administrators let your security teams know. This also impacts 2016 and 2019 server OS's as well.
 
Does anyone else think the timing of this release with older windows versions being vulnerable but JUST NOW no longer being supported as suspect?
 
Does anyone else think the timing of this release with older windows versions being vulnerable but JUST NOW no longer being supported as suspect?
No im not into that type of conspiracy theory.
Does anyone really think an Microsoft OS that old wont have security flaws?
 
MS has lost it all! To be honest, this doesn’t make any sense! Microsoft is a corporation, and I do not believe that they could lose it like that. I mean, it’s not like they are a small company that performs a penetratie test once a year. But at the same time, it makes sense what it’s written in here! So I’m kind of confused about whether I should believe thesaurus or should I just skip it and find something more trustworthy! If there is someone more knowledgeable here, please make up some light here!
 
Last edited:
Yeah, the NSA just wants to upgrade their backdoors to w10... They are probably tired of having to use 2 or 3 different backdoors depending on the OS... Its just plain lazy!!

Makes you wonder how long they have been using this vulnerability, if they are willing to disclose it.
 
Become a Patron!
Back
Top