NSA-Discovered CurveBall Windows Crypto Bug Already Turned Into Proof-Of-Concept Exploit

Windows CurveBall
Field of Dreams taught us, "If you build it, he will come," referring to a deceased baseball legend wandering out of a corn field in Iowa. When it comes to PC security, though, if you discover it ("it" being a vulnerability), the proof of concepts will come, and that is precisely what has happened with a "CurveBall" flaw the National Security Agency (NSA) recently discovered.

I wrote about this earlier in the week, noting a report that Microsoft's Patch Tuesday update would plug up a cryptography security hole discovered by the NSA. Part of the reason it was notable (and still is) is because this is the first time the NSA has reported a major bug in Windows to Microsoft (you know, as opposed to keeping the information to itself and exploiting it in the name of, uh, national security).

Security officials have dubbed the bug CurveBall. It affects CryptoAPI (Crypt32.dll), a component responsible for cryptographic operations in Windows. According to security researcher Tal Be'ery, a "flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code" is the root cause of the vulnerability.

If exploited, an attacker could pull off an assortment of nefarious stunts. These include launching man-in-the-middle (MitM) attacks, intercepting and faking HTTPS connections, faking signatures for files and emails, and faking signed-executable code launched in Windows.

"Multiple threads: Time to patch your Windows boxes. I'm watching the debate on whether or not this is urgent. If you have something worth protecting, allowing a flaw that subverts the trust system in Microsoft Windows is seriously, seriously bad. Patch," Acting Homeland Security Advisor Rob Joyce wrote on Twitter.

There are already several of proof of concepts based on this bug. This makes it all the more urgent to update Windows, if you have not done so already. Exploitation was already "likely," according to Microsoft, and now that public demonstrations are out in the wild, it's pretty much a sure bet malicious actors will leverage the exploit (the vulnerability affects Windows 10, Windows Server 2019, and Windows Server 2016).

On the plus side, this is addressed with the most recent Patch Tuesday update. In addition, Microsoft has updated Windows Defender to detect related threats. Our advice? If you've been putting off updating Windows, reconsider waiting any longer and apply the latest round of patches.

Show comments blog comments powered by Disqus