• It's the most wonderful time of the year! Make your list and check it twice. The ResetEra Games of the Year 2019 Voting Thread is now live. Voting will be open for the next 3 days, 20 hours, 38 minutes, 33 seconds, and will close on Jan 26, 2020 at 9:00 AM.

Windows 10 users: UPDATE NOW! Certificate validation is broken! (NSA: Critical Vulnerability Advisory issued)

neoak

Member
Oct 25, 2017
3,334
Edit:
Yes, but there are multiple versions (cumulative updates):

KB4528760 - Windows 10 v1903/v1909 and Windows Server v1903/v1909

KB4534273 - Windows 10 v1809 and Server 2019

KB4534293 - Windows 10 v1803 and Server 2016 v1803
I couldn't find a thread. This is serious.


Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.

Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."

However, researchers outside Microsoft—including Google's Tavis Ormandy—have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.

The vulnerability is in the component of Windows' cryptography library that validates X.509 certificates, somehow bypassing the chain of trust used to validate the certificate. Microsoft's advisory on the vulnerability said that the bug could be used to fake the software-signing certificate on a malicious version of an application, making it look like it came from a trusted developer. However, the risk extends beyond just code-signing. A National Security Agency advisory indicates that the vulnerability could be used for man-in-the-middle attacks against secure HTTP (HTTPS) connections, as well, and to spoof signed files and emails.




PATCH NOW!
 
Last edited:

TRCK

Member
Oct 25, 2017
1,279
Thanks! Anyone knows what KB this update is?

EDIT: Oh it's part of the 2020-01 Cumulative update, thanks OP!
 

DPT120

Member
Oct 27, 2017
4,367
I had two cumulative updates. One installed and the other failed. Hopefully the right one installed.
 

Scrub Jay

Member
Nov 28, 2017
230
oh god this sounds bad work is going to be a shitstorm tomorrow why did I open this forum before going to bed
 
Manual update instructions New
Jul 18, 2018
2,707

cameron

The Fallen
Oct 26, 2017
9,279
Just a FYI, if the update doesn't appear when you manually check for updates, and if it is not already installed in your update history, make sure you're not deferring "quality updates" in the advanced options menu in windows update (set the # of days to 0, which is the default).
 
Oct 27, 2018
588
Everytime I try to update Windows 10 it hangs in the black screen with the blue windows logo on (the one where there are normally some spinning dots to show “loading” except there are no dots) and I have to press the reset button. Then when Windows boots I just get a ‘Windows could not finish updating.’ It’s been like this for months.

I just figure well it boots okay after it so I’ll just ignore it. Thankfully as well as the ‘update and shutdown’ option there’s also a just ‘shutdown’ option so now I just pick that.

Would much rather complete the update and have this latest patch on there too though!
 

ChippyTurtle

Member
Oct 13, 2018
1,154
Isn't this update just something to let you know in the future if a attacker does attack using this method via Event Manager according to https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

So for home users its basically worthless.
nvm, i missed the line.
The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.
 
Oct 27, 2017
539
Well this was my PC security freakout for the day thanks for the heads up rammed update with a quickness. I'm still on 1809 because I've been lazy and the auto update failed and magically dissapeared after me delaying it for a week so lmao. I got the 2020-01 cumulative update it was KB4534273 for me. According to this: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 I should be good now right?

Someone smarter than me plz quote me and tell me I'm good and safe now lmao.