{"id":9510,"date":"2020-01-14T15:40:06","date_gmt":"2020-01-14T20:40:06","guid":{"rendered":"http:\/\/pappp.net\/?guid=d4b26528304c7c0a3cf88a31654d3bc8"},"modified":"2020-01-14T15:40:06","modified_gmt":"2020-01-14T20:40:06","slug":"patch-windows-10-and-server-now-because-certificate-validation-is-broken","status":"publish","type":"post","link":"https:\/\/pappp.net\/?p=9510","title":{"rendered":"Patch Windows 10 and Server now because certificate validation is broken"},"content":{"rendered":"<p class=\"syndicated-attribution\">Source: <a href=\"https:\/\/arstechnica.com\/?p=1643639\">Ars Technica<\/a><\/p>\n<div style=\"background-color : #fff7d5;\n\t\t\tborder-width : 1px; padding : 5px; border-style : dashed; border-color : #e7d796;margin-bottom : 1em; color : #9a8c59;\">Article note: Oh, so that's what the dire rumors have been about.  \r\nWindows' certificate validation is broken in a way that could subvert both network validation and code signing (eg. MITMs could inject bogus updates), it looked like enough of an infrastructure threat that that the NSA disclosed instead of using it, and y'all want to patch now.<\/div><div>\n<figure><img src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2020\/01\/nsaadvisory-800x501.jpg\" alt=\"Screenshot of NSA warning.\" referrerpolicy=\"no-referrer\"\/><p><a href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2020\/01\/nsaadvisory.jpg\" rel=\"noopener noreferrer\">Enlarge<\/a> <span>\/<\/span> The NSA says to patch now. (credit: <a rel=\"noopener noreferrer\" href=\"https:\/\/www.nsa.gov\/\">National Security Agency<\/a>)<\/p>  <\/figure><div><a name=\"page-1\"><\/a><\/div>\n<p>Microsoft's scheduled security update for Windows includes a fix to a potentially dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability, reported to Microsoft by the National Security Agency, affects Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server version 1803.<\/p>\n<p>Microsoft has rated the update as \"important\" rather than critical. But in a blog post, Mechele Gruhn, the Principal Security Program Manager for Microsoft Security Response Center, explained that this was because \"we have not seen it used in active attacks.\"<\/p>\n<p>However, researchers outside Microsoft&mdash;including Google's Tavis Ormandy&mdash;have a much more dire assessment of the vulnerability and urge users to patch quickly before an active exploit appears.<\/p>\n<\/div><p><a href=\"https:\/\/arstechnica.com\/?p=1643639#p3\" rel=\"noopener noreferrer\">Read 4 remaining paragraphs<\/a> | <a href=\"https:\/\/arstechnica.com\/?p=1643639&amp;comments=1\" rel=\"noopener noreferrer\">Comments<\/a><\/p><div>\n<a href=\"http:\/\/feeds.arstechnica.com\/~ff\/arstechnica\/index?a=GYRdbI89ER8:EWb42E6SYc0:V_sGLiPBpWU\" rel=\"noopener noreferrer\"><img src=\"http:\/\/feeds.feedburner.com\/~ff\/arstechnica\/index?i=GYRdbI89ER8:EWb42E6SYc0:V_sGLiPBpWU\" border=\"0\" referrerpolicy=\"no-referrer\"\/><\/a> <a href=\"http:\/\/feeds.arstechnica.com\/~ff\/arstechnica\/index?a=GYRdbI89ER8:EWb42E6SYc0:F7zBnMyn0Lo\" rel=\"noopener noreferrer\"><img src=\"http:\/\/feeds.feedburner.com\/~ff\/arstechnica\/index?i=GYRdbI89ER8:EWb42E6SYc0:F7zBnMyn0Lo\" border=\"0\" referrerpolicy=\"no-referrer\"\/><\/a> <a href=\"http:\/\/feeds.arstechnica.com\/~ff\/arstechnica\/index?a=GYRdbI89ER8:EWb42E6SYc0:qj6IDK7rITs\" rel=\"noopener noreferrer\"><img src=\"http:\/\/feeds.feedburner.com\/~ff\/arstechnica\/index?d=qj6IDK7rITs\" border=\"0\" referrerpolicy=\"no-referrer\"\/><\/a> <a href=\"http:\/\/feeds.arstechnica.com\/~ff\/arstechnica\/index?a=GYRdbI89ER8:EWb42E6SYc0:yIl2AUoC8zA\" rel=\"noopener noreferrer\"><img src=\"http:\/\/feeds.feedburner.com\/~ff\/arstechnica\/index?d=yIl2AUoC8zA\" border=\"0\" referrerpolicy=\"no-referrer\"\/><\/a>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Enlarge \/ The NSA says to patch now. (credit: National Security Agency)<br \/>\nMicrosoft&#8217;s scheduled se&#8230;<\/p>\n<p> <a href=\"https:\/\/pappp.net\/?p=9510\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[226],"tags":[],"class_list":["post-9510","post","type-post","status-publish","format-standard","hentry","category-news-2"],"_links":{"self":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/9510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9510"}],"version-history":[{"count":0,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/9510\/revisions"}],"wp:attachment":[{"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}