[NOTICIA RAPIDA] No se les olvide actualizar Windows 10, Problemas con crypto

Es raro ver que la NSA de una alerta sobre errores, y mas cuando lo hace publico.
Pero en este caso lo hizo porque el problema afecta la seguridad de casi todos los componentes de Windows, Particularmente los hace vulnerables a ataques de "man in the middle".

La falla CVE-2020-0601 no es Windows en si, si no en su plataforma de seguridad criptográfica. Es el sistema que maneja la seguridad como los certificados HTTPS, etc..
El problema? Antes del parche era posible hacer spoof y engañar a ciertos equipos o programas a que aceptaran un certificado diferente y que parezca valido. Lo cual podrían engañarte mostrándote un sitio diferente o copia de los oficiales.

Ahora imaginate que eres un alto diplomático y vas a un país como China. Con este tipo de MAN IN THE MIDDLE podrían redirigir todo el trafico tuyo a otro lado sin que te des cuenta y robar tu información o espiarte.

Even before Microsoft itself disclosed the details of CVE-2020-0601, a Windows CryptoAPI spoofing vulnerability, the NSA had confirmed the importance of both the flaw and the fix. Anne Neuberger, director of the NSA Cybersecurity Directorate, warned that the issue "makes trust vulnerable."

Muy raro ya que la NSA usualmente usa estos bugs para beneficiarte en su espionaje y trabajo de robar información de intereses extranjeros y potencias de otros grupos.

What is CVE-2020-0601?

The vulnerability affects all systems running Windows 10 in 32 or 64-bit versions. The CISA alert explains that it allows Elliptic Curve Cryptography (ECC) certificate validation to bypass the trust store. In other words, this means that malicious software could masquerade as legitimate software that has been authenticated and signed by a trusted source; malware detection could be negatively impacted as a result. Furthermore, browsers that rely upon Windows CryptoAPI could be fooled by a maliciously signed digital certificate and so no warnings would be issued if a threat actor were to then decrypt data or inject malicious data.

CVE-2020-0601 can be exploited to undermine Public Key Infrastructure (PKI) trust, according to Neal Ziring, technical director of the NSA Cybersecurity Directorate. "This kind of vulnerability may shake our belief in the strength of cryptographic authentication mechanisms," Ziring said, "and make us question if we can really rely on them."

While there has been some debate amongst infosecurity professionals online as to the extent to which this vulnerability could be exploited, with some even suggesting it is something of an NSA PR stunt, most agree that CVE-2020-0601 cannot be ignored. "This vulnerability may not seem flashy, but it is a critical issue," Ziring said, "trust mechanisms are the foundations on which the internet operates, and CVE-2020-0601 permits a sophisticated threat actor to subvert those very foundations."

"While it is relatively uncommon for a vulnerability of this severity to make it through the NSA's Equities process and not be weaponized and kept secret for its offensive capabilities," Chris Hass, the director of information security and research at Automox, and a former NSA security analyst, said, "it does allude to a possible shift in mentality." That being as a result of bad publicity with recent ransomware infections that were made possible by EternalBlue, a leaked NSA exploit. " If an attacker could spoof a cert to look like a trusted vendor, they would likely bypass most security controls present in the organization, giving them free rein to do whatever they wanted," Hass said, "this doesn't just affect signatures; it will also affect conviction rates of AI-based models due to the fact most AI-models use digital signatures to some capacity in weighing whether a file is malicious or not."

Para resumir... Microsoft metió la pata y su sistema que maneja todo lo criptográfico y archivos de seguridad, no revisa las 4 identidades o pasos cruciales. Esto permite que grupos terceros hagan certificados y llaves parecidas que permiten engañar al sistema de Windows.


Mas información:

www.forbes.com/sites/daveywinder/2020/01/15/us-government-issues-critical-windows-10-update-now-alert/#27aa5d39f625
arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical-windows-10-vulnerability/

Ni pex. Bajando updates...