Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.
Read the whole story
Read the whole story
Researcher develops working exploit for critical Windows 10 vulnerability
- Thread starter JournalBot
- Start date
Upvote
39
(40
/
-1)
More accurately, they served a rickroll to themselves.
nsa.gov and github themselves were unaffected.
nsa.gov and github themselves were unaffected.
Upvote
33
(33
/
0)
Heartbleed in OpenSSL says "hello."
Open Source isn't a magic panacea for security and by and large, against its built-in software, Windows is as secure, if not more so, as any other operating system these days. And pointing to this as proof otherwise is, frankly, dumb because we're also talking about something that's already patched even if it still needs to be fully pushed out.
Upvote
41
(44
/
-3)
Yes, luckily Linux software tends to rely on OpenSSL which has never had any serious vulnerabilities.
/s
Upvote
31
(32
/
-1)
This combined with the widely spread flaw that gives remote access to cable modems is a pretty serious combo.
I hope everyone gets their updates quickly.
I hope everyone gets their updates quickly.
Upvote
2
(5
/
-3)
Quick edit: there's Three quotation marks in this quote instead of Four. You're missing an opening quotation mark after [Kenn White... said.]
Also, the title of this section is ["Fairly terrifying"] in quotation marks, but the actual quote is "fairly horrifying", but this isn't such a big deal.
As I'm an idiot, I was also initially confused as to why White would comment on a bug demonstration before it had been published, but I realized successfully that the timeline was: Rashid demonstrates flaw on IE/Edge. Interview with White. Rashid demonstrates flaw on Chrome. For the other idiots out there, maybe this can be made more clear?
Upvote
6
(6
/
0)
This is likely to be in the wild if the NSA have disclosed it; as others surmised, they have been aware of it for over a decade (this bug was used in TUTELAGE'S "INTERCEPT" "BLOCK" and other operational modes) but made it public now. Why? The benefits it provides now are outweighed by an unannounced risk.
If this sounds a bit hindsight, but in cryptography there is an algorithm called ECDSA, Elliptic Curve DSA. The base point parameter is critical of course, but it is well known that failure to validate this can cause false signature matches during digital certificate validation.
The base point validation is critical in ALL elliptic curve cryptography, otherwise it is trivial to generate a private key which will sign a certificate to produce a signature with the same value as any other certificate of choice when parameter G is neglected. Again in hindsight, this sounds like the precise scenario we find ourselves in so I would hazard a guess that this is where the Microsoft implementation of ECC falls down; failure to validate the base point in given domain parameters.
If this sounds a bit hindsight, but in cryptography there is an algorithm called ECDSA, Elliptic Curve DSA. The base point parameter is critical of course, but it is well known that failure to validate this can cause false signature matches during digital certificate validation.
The base point validation is critical in ALL elliptic curve cryptography, otherwise it is trivial to generate a private key which will sign a certificate to produce a signature with the same value as any other certificate of choice when parameter G is neglected. Again in hindsight, this sounds like the precise scenario we find ourselves in so I would hazard a guess that this is where the Microsoft implementation of ECC falls down; failure to validate the base point in given domain parameters.
Upvote
9
(9
/
0)
TFW by "Siri" you meant "Cortana". You fake-ass Apple poser, you...
Upvote
28
(28
/
0)
One thing I like about comments on Ars is people able to explain super complicated stuff in simple, yet technical, terms even people like me can follow. (I've done RSA by hand with very low key values and that's the limit of my real knowledge of cryptography math; and I've forgotten it all since then.)
Upvote
14
(14
/
0)
Microsoft breaks your computers with every other update? So that's every two months? That's really impressive. Weird how most Windows users don't need to replace their computer every two months? Maybe, just maybe, you're either (a) wildly exaggerating because you think talking shit about Microsoft is good for your geek cred, or (b) you're doing something you shouldn't to your computers?
Seriously dude, just chill out. Microsoft isn't breaking your computers every two months. They're just not. You're making it up. Getting angry over made-up issues is only cool while you're a teenager.
Microsoft has definitely released some updates that broke stuff, sure. Apple has released updates that bricked people's phones. And my Linux distro certainly doesn't have a perfect track record either. So effing what? Software is hard. But the internet has enough faux outrage and vitriol as it is.
Upvote
32
(42
/
-10)
With comments like that you are just demonstrating your ignorance.
Upvote
15
(20
/
-5)
Exploitability is MUCH easier than listed above.
If you can send DNS response packets to client on public WiFi somewhere, you can tell them the bank website is now at hackers ip. Packet sniffing will give you the request, and you can respond very quickly (at least with classic DNS over UDP/53).
Fake access point will give you the same option.
If you can send DNS response packets to client on public WiFi somewhere, you can tell them the bank website is now at hackers ip. Packet sniffing will give you the request, and you can respond very quickly (at least with classic DNS over UDP/53).
Fake access point will give you the same option.
Upvote
5
(5
/
0)
Do you read the news?.. Ever?.. Because if you did, you'd know very well what I mean.
Somehow, software wasn't that hard with Windows 7, or Windws XP. Those rarely broke because of updates. But suddenly, with Windows 10 it became oh so difficult... Could it be this has something to do with MS laying off almost all their testers? No?..
Upvote
-10
(15
/
-25)
I think you're remembering XP and 7 with a bit of nostalgia, my friend. It's human nature to remember the past as being better than it actually was. Sometimes it's important to review the primary sources in order to see things clearly, such as this database of Windows XP security vulnerabilities, for example.
Always remember that most of the decisions made in the world, with our progress and our failures, are made by normal people just doing our best. There are certainly reasons be angry. There are systemic problems that must be addressed. There are people benefitting from human suffering - people enriching themselves at others expense. Unless you believe that Microsoft bungling some development falls into that category, I recommend you save your indignation for something more worthwhile.
Upvote
22
(28
/
-6)
I think you're remembering XP and 7 with a bit of nostalgia, my friend. It's human nature to remember the past as being better than it actually was. Sometimes it's important to review the primary sources in order to see things clearly, such as this database of Windows XP security vulnerabilities, for example.
Always remember that most of the decisions made in the world, with our progress and our failures, are made by normal people just doing our best. There are certainly reasons be angry. There are systemic problems that must be addressed. There are people benefitting from human suffering - people enriching themselves at others expense. Unless you believe that Microsoft bungling some development falls into that category, I recommend you save your indignation for something more worthwhile.
Oh no, I don't say that Win7 or XP were more secure than Windows 10, definitely not! What I mean is that I have never had such a strong anxiety before installing any OS updates when I was using older versions of Windows. With Windows 10, however, I start praying every time I allow it to proceed with update installation.
You can try to deny my personal experience with your own personal experience as much as you want, but you must realize my poor experience isn't going to change and I'm not going to start trusting Windows 10 updates until quality control issues are resolved. Personally, for my own computers, I have found a solution:
Windows 10 LTSB (renamed to LTSC)!
This version is just stable enough for me to leave updates enabled and not worry if I'm still gonna have a working PC the next day.
Upvote
-14
(7
/
-21)
Your personal experience is your own but I'm not sure how anyone could have lived through XP service packs and yet compare it favourably to Windows 10 updates...
I've complained a lot about Windows 10 pushing out feature updates before they're fully baked but I really wouldn't want to go back to XP style feature updates.
I've complained a lot about Windows 10 pushing out feature updates before they're fully baked but I really wouldn't want to go back to XP style feature updates.
Upvote
10
(17
/
-7)
Well, apparently, I do. Could it be that I'm the only such person in the world?
Upvote
-16
(2
/
-18)
Nitfortheday.
Since a person's weight is quite variable, this example would be better if the cop did not compare the picture with the person in front of them.
Since a person's weight is quite variable, this example would be better if the cop did not compare the picture with the person in front of them.
Upvote
7
(7
/
0)
Weird, I vividly remember people complaining about updates breaking stuff on Win7 and XP too. People were refusing to install Windows updates 20 years ago because "it always breaks stuff". I must've imagined that. If you'll remember, the whole reason Microsoft made it impossible to completely opt out of installing updates with Windows 10 was that previously, people just *didn't* install them. Because they were said to break stuff.
Yes, there's been a lot of fallout from MS reorganizing how they do testing and I agree Microsoft dropped the ball on this. It's just not relevant here. If you'll recall, this thread is under an article about a flaw in their encryption libraries, and let's be honest here, *this* kind of vulnerability is not something that would've been detected by having an army of testers testing that *this* obscure corner of Windows still works if you have *this* particular bios and plug *that* particular brand of USB stick into your computer when the moon is full. Those were the kinds of issues their old testing departments excelled at detecting. It was never their responsibility to spot flaws in the implementation of TLS encryption algorithms. And this may come as a surprise to you but (1) Microsoft still has both quality control and testing, and (2) they have *a lot* of quality control and testing for security-sensitive areas such as this. This issue didn't slip through the cracks because "they laid off almost all their testers"
Upvote
23
(24
/
-1)
Statistical
Ars Legatus Legionis
Yeah XP was glorious. Never had vulnerabilities, never had a BSOD, never had bad updates. Just 100% perfect code all the time. Then mean ole Microsoft got rid of it because it was too perfect and stuff.
Seriously what universe have you been living in because I want to go to there?
Upvote
23
(23
/
0)
How much is too much though?
I've had my Win10 work PC tell me I have to stop and reboot more than once in the same day.
When I had a Win10 home PC, I had it reboot multiple days in a row when I was trying to run long jobs on a holiday weekend...or one time I checked updates and rebooted at the start of a day to ensure it wouldn't, and then at the end of "active hours" the same day it rebooted without asking because apparently there was ANOTHER update.
Updates striking at bad times has also impacted a weekend 24 hour radio contest where people are running on generator power...more than once in the wee hours of the morning someone has gone to get coffee or went to shut down to refuel a generator and the computer is like "LOL update time, don't shut off". And no, not everyone has laptops with batteries.
Upvote
-14
(5
/
-19)
Never Gonna Boot You up,
Never Gonna lol you down,
Never Gonna Wanna Cry,
Never Gonna Clippy Wave bye,
Never Gonna patch a lie and restart you
Upvote
21
(21
/
0)
This really shows that security is difficult to implement correctly. The underlying code that makes this exploit possible was vetted by MANY software and security experts and is only just now being found out. It's a tough business and there are always more vulnerabilities that haven't yet been discovered... or are not yet disclosed because, as another commenter mentioned, the benefits do not yet "outweigh the risks".
Upvote
6
(7
/
-1)
It's hard for me to process the Ars front page today.
NSA: There's one critical vulnerability in a Windows crypto library. Everyone drop everything and patch immediately.
FBI: Let's break all encryption on purpose.
NSA: There's one critical vulnerability in a Windows crypto library. Everyone drop everything and patch immediately.
FBI: Let's break all encryption on purpose.
Upvote
12
(12
/
0)
This is actually how it is *supposed* to work.
The NSA's mandate is the protection of US assets AND persons - Not Law Enforcement. The NSA should be the largest reporter of CVE's to United States software companies. It should be working with them to secure US assets, not just leave US persons open to attack so those same vulnerabilities can be used for offensive capabilities against foreign targets.
The FBI's mandate is domestic Federal law enforcement. Not Constitutional judgements.
It does raise the question why Microsoft would suddenly change how the OS implements this validation in Windows 10, but not Windows 8.1 or Windows 7. It does raise some doubts that this "oversight" of a fundamental aspect of internet security in the HTTPSEverywhere era was truly an accident.
Upvote
2
(2
/
0)
Been using Windows 10 since it's release, not once has MS broken something with an update. The only inconvenience to me was that NVidia's Instant Replay feature stopped working for about 2 months after 1709. Other than that, not a single issue.
Oddly enough, I've had less crashes and blue screens on Windows 10 than I had on Windows 7. And Windows 7 rebooted me more times for updates than 10 ever did. So... maybe PEBKAC is the error code you should be looking into?
Upvote
13
(15
/
-2)
TFW by "Siri" you meant "Cortana". You fake-ass Apple poser, you...
It also shows they don't actually update considering Cortana has been separated from the OS.
Upvote
5
(5
/
0)
When I was at DISA many mil systems opt out of Windows root updates so they might be fine if they have no ECC root CAs trusted.
Upvote
2
(2
/
0)
The worst thing about Windows 10 for me is the networking code. On exactly the same hardware Linux has perfectly working networking, whereas on Windows 10 the network drops its connection randomly, but often enough to be incredibly annoying when gaming over the connection. Same thing happens on wifi and ethernet connections. The drivers and Windows updates are all up to date, I've tried all the tips about disabling power saving etc. to no avail.
Upvote
-9
(2
/
-11)
These are your words, not mine. I never said anything remotely like that.
So you can go ahead and answer your own question now.
Upvote
-14
(2
/
-16)
To be honest, testing with unit tests is more of a modern thing that arose in the last decade or two and a half. The idea of unit tests for code was still actively opposed by developers in the 90’s and 2000’s.
I had a frustrating "discussion" with an idiot at Adobe around the turn of the century. "Unit tests only catch errors you have already made and fixed so it is a waste of time". I lost. Testing remained something a group of QA monkeys performed by banging on their keyboards. Well they were more competent than that but not unit test level competent.
Upvote
3
(4
/
-1)
And how is that PEBKAC if Windows 10 LTSB/LTSC has been running flawlessly for me on all of my personal machines for 3 years now?.. I am only complaining about regular/consumer versions here...
Upvote
-5
(2
/
-7)
Upvote
0
(0
/
0)
Yet the exploit doesn't work on Firefox. Maybe the problem is every browser and their mother being a clone of Chrome. The more people use the same code, the easier is to find exploits for said code.
Upvote
-5
(2
/
-7)