• Light/Dark
  • Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.

Windows 10 users: UPDATE NOW! Certificate validation is broken! (NSA: Critical Vulnerability Advisory issued)

neoak

neoak

Member
Oct 25, 2017
15,253
Edit:
McDomination said:
Yes, but there are multiple versions (cumulative updates):

KB4528760 - Windows 10 v1903/v1909 and Windows Server v1903/v1909

KB4534273 - Windows 10 v1809 and Server 2019

KB4534293 - Windows 10 v1803 and Server 2016 v1803
Click to expand...
Click to shrink...

Copying from the ETC thread: https://www.resetera.com/threads/wi...ritical-vulnerability-advisory-issued.164843/

Duplicate post on Gaming because of how serious this is:


Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.

Microsoft has rated the update as "important" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because "we have not seen it used in active attacks."

However, researchers outside Microsoft—including Google's Tavis Ormandy—have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.
Click to expand...
Click to shrink...



The vulnerability is in the component of Windows' cryptography library that validates X.509 certificates, somehow bypassing the chain of trust used to validate the certificate. Microsoft's advisory on the vulnerability said that the bug could be used to fake the software-signing certificate on a malicious version of an application, making it look like it came from a trusted developer. However, the risk extends beyond just code-signing. A National Security Agency advisory indicates that the vulnerability could be used for man-in-the-middle attacks against secure HTTP (HTTPS) connections, as well, and to spoof signed files and emails.
Click to expand...
Click to shrink...

nsaadvisory-800x501.jpg


image0.jpg


PATCH NOW!
 
Last edited:
kami_sama

kami_sama

Member
Oct 26, 2017
6,993
Well shit.
I am currently away from my computer, I hope nothing happens for the next 8 hours lol
But yeah, if app signing is broken, that's pretty bad.
 
Hella

Hella

Member
Oct 27, 2017
23,392
What update is it specifically, just part of the January round of updates or what?
 
.exe

.exe

Member
Oct 25, 2017
22,206
Is this how Microsoft gets Win 7 stragglers to jump onto 10? Support ended yesterday, right 😅
 
Bufbaf

Bufbaf

Don't F5!
Member
Oct 25, 2017
12,623
Hamburg, Germany
texhnolyze said:
I always have a hard time understanding all these security warnings. Why would this affect me, for instance?
Click to expand...
Click to shrink...
Because some random asshole could send a nice virus to all PCs not having this security update, locking it up and/or destroying all data on it if you don't pay ONE MILLION DOLLARS to his bitcoin account, for example.

Like, similar to those things that happen all the freaking time still :D
 
VinceK

VinceK

One Winged Slayer
Member
Oct 25, 2017
700
For people who are still on version 1803 of Windows 10 the update you need is KB4534293 that is this months cumulative update file.
 
Valcrist

Valcrist

Tic-Tac-Toe Champion
Member
Oct 25, 2017
9,679
I've been avoiding updating because every time I update my screen gets really bright for some reason and my eye condition says "nope". Blaaah... I don't want to update...
 
MazeHaze

MazeHaze

Member
Nov 1, 2017
8,570
What does this mean exactly? When I read shit like this all I see is a transcript of the Charlie Brown teacher
 
You must log in or register to reply here.