cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Chain of Fools/Curveball Windows CryptoAPI Vulnerability

This weeks patch Tuesday made things really interesting with the announcement by the NSA that Windows Server 2016/2019 and Windows 10 had a critical vulnerability in their CryptoAPI component (Crypt32.dll). Essentially, the vulnerability pertained to how Elliptic Curve Cryptography (ECC) certificates were validated.

 

There are lots of great write-ups here, here, and a test here. Why did the NSA choose to work with Microsoft on responsible disclose prior to the patch the rather than weaponizing it themselves? Maybe, just maybe, Nation State actors were already exploiting it...

1 Reply
Steve_D
Newcomer I

My suspicion would be that the NSA already knew about the vulnerability and how to exploit it - possibly a reason they were pushing so hard for ECC to be accepted as the default standard, with a standard curve set.

 

I'd guess they had a tool capable of exploiting this vulnerability from day 1, but now others have discovered it so they are happy to close this one off and move on to the next zero-day they have in their bag.

 

Paranoid? Moi?