In other words, a hacker could get you to download and install malware that pretended to be something benign, such as a software update, and Microsoft and even the best antivirus software would be none the wiser due to the spoofed digital signature.
We won't bore you with the technical details of elliptic-curve cryptography, but suffice it to say that "an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source." The flaw lies "in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," Microsoft wrote in its advisory. "Trust mechanisms are the foundations on which the Internet operates – and permits a sophisticated threat actor to subvert those very foundations." Dead man's elliptical curve "This vulnerability may not seem flashy, but it is a critical issue," Ziring added. "The vulnerability permits an attacker to craft PKI certificates to spoof trusted identities, such as individuals, web sites, software companies, service providers, or others." The flaw "is a serious vulnerability, because it can be exploited to undermine Public Key Infrastructure (PKI) trust," wrote Neal Ziring of the NSA's Cybersecurity Directorate in an NSA blog posting.
0 kommentar(er)
