back to article Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. If you haven't taken mitigation steps by now, you're about to have a bad time. While IT admins can use the proof-of-concept exploit code to check their own systems …

  1. bombastic bob Silver badge
    Meh

    I've always *HATED* application and driver certs

    I've always *HATED* application and driver certs. In many ways, it's an ASSAULT ON OPEN SOURCE AND FREE SOFTWARE.

    A lot of this started with windows vista, so the problem exists in 7 as well. Microshaft NOW requires all kernel drivers to be signed by *THEM* for a "modest fee", a TOLLBOOTH on the information highway, in essence. It's a TOTAL RIPOFF.

    iOS's attempted "lockdown" is no better. At least there's a method by which an indie developer for Android can make an APK available for whoever wants to download it.

    anyway...

    It was ONLY a MATTER OF TIME before it got CRACKED. THEN they'll issue a "fix", which will "work" for a while, and it will get CRACKED AGAIN.

    It's really a false sense of security.

    The biggest problem behind this (other than poorly written poorly tested windows code) is RUNNING WITH ADMIN CREDENTIALS *ALL* OF THE TIME!

    In Linux (and other POSIX) systems, running as 'root' all of the time is discouraged on many levels. Some programs won't even run without explicitly setting a flag someplace to allow running as 'root'. Others simply warn you and force you to click through an approval every time.

    Windows COULD use a POSIX-like security model, too, because 'administrator' usually doesn't give you the *kinds* of access you REALLY need. Unless you're MALWARE...

    This "cert" nonsense SHOULD be a reason to NOT use Windows. I think that *eventualy* it COULD become that. In the mean time, Micro-shaft charges a FEE to "certify" your CRapp or driver, to give a FALSE! SENSE! OF! SECURITY! to end-users, because HOW many "the store" CRapps for iOS and Android have been distributed with "certifications" on them, only to require being REMOVED from "the store" because they're really MALWARE???

    Yeah. FALSE sense of security. I say let developers make what they want, and let users just BEWARE and EXERCISE CAUTION instead. Like a form of "street smarts" except it's with SOFTWARE.

    1. Louis Schreurs

      it's an ASSAULT

      it is i dunno wot all those caps

      1. RyokuMas Silver badge
        Boffin

        Re: it's an ASSAULT

        "it is i dunno wot all those caps"

        It's a means of emphasis commonly employed by those who don't understand how to use the strong tag, and whose vocabulary means that they cannot express themselves otherwise.

        In other words it's to express strong feelings. Which, apparently are irrelevant...

      2. Phil O'Sophical Silver badge

        Re: it's an ASSAULT

        bombastic : marked by or given to speech or writing that is given exaggerated importance by artificial or empty means

    2. Anonymous Coward
      Anonymous Coward

      No worse than OAUTH

      Platforms that enforce OAUTH can pull the rug from under Client applications that get too popular and then the Platform owner can then bring out their own version, after locking out the original.

    3. gerdesj Silver badge
      Linux

      Re: I've always *HATED* application and driver certs

      Bob, me old fruit. Windows is not Open Source and this flaw is in Windows 10. However, you don't have to use it. There are lots of penguins available to bother or why not dabble with a daemon, if that is your bag?

      Please go easy on the turps at this time of the morning and sort out that sticky caps lock on your keyboard.

    4. LDS Silver badge

      Re: I've always *HATED* application and driver certs

      You know that packages that you download from any reputable Linux distro are signed as well, to avoid you get tampered with ones?

      1. Anonymous Coward
        Anonymous Coward

        Re: I've always *HATED* application and driver certs

        @Linux "distro are signed as well" yes so you can manually validate that what you downloaded is the same as published however the OS does not care one way or the other.

        Any external authority that gets privileged access is always going to be a target for attack so as to obtain the same privilege for those that wish to abuse it.

        Over and again we have been told that X is unbreakable only for it to be proven that anything that a human can create another human (or the same human both times) can destroy. Where people sell the idea that their offering goes against the trend then surely they should have to give the money back when it is found to be false advertising.

  2. Blackjack

    Firefox is not affected by this bug

    Not is any Firefox based browser, like Icecat.

    1. LDS Silver badge

      Re: Firefox is not affected by this bug

      Every application that doesn't use Windows crytpo API isn't affected, obviously.

  3. Louis Schreurs

    Cit-tricked

    My perverted mind read

    Clit-tricks

  4. CAPS LOCK Silver badge

    Hullo, NSA? Microsoft here...

    ... You know that backdoor we put in elliptic key encryption, well, if you've finished with it we'd like to release the details to 'encourage' people off Win7.

    1. phuzz Silver badge
      Gimp

      Re: Hullo, NSA? Microsoft here...

      This vuln doesn't affect Windows 7 (or 8 for that matter). It's specific to Windows 10 and Server 2016/2019.

      Which means that in the last few years, someone decided to rewrite the way Windows checks certificates, presumably with the intent of making it more secure.

      They* really fucked up that one.

      * they, and everyone who's job it was to check the code

      1. Boris the Cockroach Silver badge
        WTF?

        Re: Hullo, NSA? Microsoft here...

        Quote

        They* really fucked up that one.

        * they, and everyone who's job it was to check the code

        CHECK the code? we cant afford to have a QA department, shove the code out the door and patch it if its got a flaw.. sheesh

        Every QA person is 30 grand off my bonus ffs

        1. LDS Silver badge

          Re: Hullo, NSA? Microsoft here...

          It's worse than only QA - evidently those who modified the code didn't have a clue. Note that this bug impacts only ECC, because when other types of cryptography are used the checks are performed.

          So it looks they have some new cheap interns from Mumbai who are tasked to write critical code...

      2. CAPS LOCK Silver badge

        "This vuln doesn't affect Windows 7"

        'Blimey. that's even cleverer of Microsoft, frighten people off Win7 with something that doesn't even affect it.

        1. ThatOne Silver badge

          Re: "This vuln doesn't affect Windows 7"

          Well, among the big scary announcements of the 14th, the CryptoAPI spoofing vulnerability CVE-2020-0601 affects only Win10 indeed, but the Windows Remote Desktop client and RDP Gateway Server vulnerability (CVE-2020-0611) affects "Win7 and newer" (source: US-CERT).

          So there is indeed a part of the "Win7 is sooo dangerous!" scare which is partially true, although normally Microsoft is suppose to have patched that issue in the January 14th patch, the last Win7 did get. Which means unless you didn't get that last patch, you're safe(-ish).

          1. phuzz Silver badge
            FAIL

            Re: "This vuln doesn't affect Windows 7"

            If your Windows 7 machine has RDP turned on and hooked directly up to the internet then you've made some bad decisions in life.

  5. 1752
    Unhappy

    a logo and website

    No just please no. Just stop this 'a logo and website' bollocks.

  6. Tom Paine Silver badge

    Angry Bob

    (Re subheadline)

    Angry Bob may not be the patron saint of infosec droids, but he's MY patron saint, oh yes.

    https://youtu.be/1-9qxUy1cDY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020