Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10
The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and "applications that rely on Windows for trust functionality." The Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.
SANS created a test site at https://curveballtest.com. The site also offers a benign executable that was signed with an exploit signature. Use it to test your defenses. Many end point protection products and even Chrome have added rules to detect bad signatures, possibly protecting you even if you are not yet patched.
Read more in
Defense: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers (PDF)
DHS: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
FNN: CISA demands 'emergency action' from agencies on Windows vulnerability patch
Wired: Windows 10 Has a Security Flaw So Severe the NSA Disclosed It
SC Magazine: NSA reveals to Microsoft critical Windows 10 flaw
ZDNet: Proof-of-concept exploits published for the Microsoft-NSA crypto bug
Ars Technica: Critical Windows 10 vulnerability used to Rickroll the NSA and Github
Ars Technica: Patch Windows 10 and Server now because certificate validation is broken
Dark Reading: Microsoft Patches Windows Vuln Discovered by the NSA
Threatpost: PoC Exploits Published For Microsoft Crypto Bug