This does not make any sense. So the exploit is to do with being able to code sign an executable without having the appropriate keys. Not too worried about that since how many people look at the thing anyway.
But how do you go from that to "man in the middle attacks" and "decrypting confidential information"? Are they just making things up or is this another case of the press having no idea what they are talking about and just throwing technical sounding words.
No it is exactly right. It's the crypto library that is flawed. This is used for both code signing and TLS negotiation. Thus you can forge a certificate and leverage an existing trust relationship easily. That can be used to set up an insecure TLS connection to MITM and obtain data or generated a code signing certificate that bypasses prompts.
With these things you have to ignore the dumbed down press and go straight to the source:
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDFFrom my understanding what they discovered was elliptic curve parameters could be specified in the certificate which were not validated against standard curves. That allows intentionally weak parameters to be injected into the certificate to decrease certificate generation effort to something reasonable (seconds instead of billions of years).
And yes NSA have probably been using this for months. It probably only got released after it was no longer useful against their adversaries or they have another set of exploits lined up.
Home
Help
Search
Login
Register
