Wednesday, January 15, 2020

A most unusual (but critical) Windows security update

There is a nasty security bug in Microsoft Windows 10 and Windows Server 2016.  You will want to update your operating system today.  Here's a handy guide on how to check if you already have the update, and if not how to get it manually.  This covers Windows 7, 8, and 10; if you have an older version then it's no longer supported and you don't really have any good options.  Skip to the end of this post for some thought on what to do.

But this is a really interesting security bug, not because of the nature of the bug itself but from how it was reported.  The bug is in the cryptographic subsystem, the library that does all the encryption routines.  This is pretty critical - not only does it handle the encryption of your browser traffic, but even more importantly (WAY more importantly) it verifies that you are talking to the actual web server that you want to and not some skeevy H4x0R site.  Most importantly of all, it verifies that the software you download (including, say, Windows security updates) are actually from Microsoft (and not from some skeevy H4x0R site).

Yeah, this is important.

But the interest here is that this was reported to Microsoft by the NSA.  Remember the Edward Snowden revelations?  NSA is ground zero for collecting attack techniques and code that the Fed.Gov can use against its enemies, foreign and domestic.  Here was a vulnerability present on literally every modern Windows computer in the universe, and they up and tell Microsoft to go build a patch for it.

Remember, these are the same guys who weakened the elliptic curve encryption routines so they could break all the web traffic, and these are the guys who paid RSA Data Security, Inc. tens of millions of dollars to slip weaknesses into the most popular encryption code sold at the time.  Now they're giving away the farm, so to speak.

Hmmmmm.  Here's the story and the interesting bit:
The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.
What's weird is that this is how you're supposed to do things - find a bug, report it to the developer, developer creates a patch, developer gives you credit for finding the bug.  But NSA actually did this, rather than keep the exploit secret.  Maybe some foreign government had discovered the vulnerability and somehow NSA found this out.  Who knows?    In any case, well done to NSA for doing it the Right Way.

But if you have Windows 10, go patch now.

If you have old Windows - say, XP you don't have support anymore.  It's no longer being maintained, so no more security patches.  You really have three choices here:

1. Stay on XP, and realize that some day you're going to get pwned.  It's sad to say, but it's not if you will get something take over your computer, it's when.

2. Upgrade to a newer version of Windows, which probably will mean buying a new computer.  Windows is famously resource hungry, and Windows 10 will be slow as molasses on a computer that came loaded with XP.  ASM826 and I put up a series of posts on backing up your data, so you can move everything over (you do back up your data, don't you?)

3. Load Linux on your existing computer.  Linux is a lot happier on old hardware then modern Windows is, and the backup techniques in the posts linked above will work just dandy on it.  Here's an old post recommending Linux Mint.

6 comments:

Eck! said...

Started with ubuntu 7.04 and never looked back. That was bought
on by NT4 getting timed out and the replacements were unappealing.

More recent is Mint 17.03 and ran that to 18.03 solid and fast even
on a Mintbox (quad core AMD64 at 1.6ghz and 8gb).

So I run a mix of Ubuntu (unity and LXDE variants) and Mint.

With rare exception I've found replacements for everything save
for a few items only for winders like MPlab, 4nec2, and that runs
very well under wine.

For antiques there are a few older linux that run on 486 hardware
and early P1 machines that I have because ISA8 and 16 support.
Also Eepc 701 (Celeron mobile 900 1gb). many of the more current
distros are not supporting 32bit and many do not have support for older not PAE machines. However there are many others that do.

You can run early DOS or winders on them but networking supports
is not there. So Linux is a good way out.

Eck!

jabrwok said...

I have a lot of programs that I've downloaded to my computer and which all work fine on Windows7. Will Linux support them? I don't have a list handy (at work right now).

Beans said...

Thanks for the warning. Ran it, took forever to load, replaced 3.4GB of coding. (I always run a disk cleanup after a big update, or once a week just out of practice, something I've done since leaving Windows 3.1)

Maybe the NSA reported it because foreign forces were already using it, so letting the cat out of the bag was a way of stopping outsiders snooping. Which is one of the functions of the NSA.

And I am sure the NSA knew about the flaw long before anyone else, and used it inappropriately here on certain someones, while also using it overseas. Not that I'm a conspiracy nut, but it does seem like the three-letter-agencies were used improperly or criminally against opponents of the previous administration.

LindaG said...

Is windows disk cleanup sufficient or do you recommend something else?

Borepatch said...

Jabrwok, I'll put up a separate post about moving to Linux. It's been quite a while since I've done this and things have gotten a lot better.

LindaG, the windows disk cleanup should be fine.

jabrwok said...

Borepatch: much appreciated!