FOXTROT/ALFA: NSA Discloses Windows Crypto Zero-Day, The End of Windows 7, Games Workshop Warns of Microsoft Dynamics 365 Switch

Welcome to Patch Day and issue 62 of FOXTROT/ALFA. Today is Tuesday, 14 January 2020 and it’s a special day indeed as not only does the support for Windows 7 end today, but this Patch Day also brings the breaking news that Microsoft fixed a killer bug in Windows that was disclosed (as opposed to weaponised) by the NSA.

Patch Tuesday: Microsoft Closes Major Bug Reported by the NSA

Well, here’s a first: For the first time ever, there’s a fix for a security vulnerability that has officially been attributed to the NSA. It’s a flaw in the Windows CryptoAPI – the underlying framework that provides all cryptographic functions in modern versions of Windows – that allows an attacker to spoof Elliptic Curve Cryptography (ECC) certificates. The vulnerability has been designated CVE-2020-0601.

Microsoft is patching a serious flaw in various versions of Windows today after the National Security Agency (NSA) discovered and reported a security vulnerability in Microsoft’s handling of certificate and cryptographic messaging functions in Windows. The flaw, which hasn’t been marked critical by Microsoft, could allow attackers to spoof the digital signature tied to pieces of software, allowing unsigned and malicious code to masquerade as legitimate software.

The bug is a problem for environments that rely on digital certificates to validate the software that machines run, a potentially far-reaching security issue if left unpatched. The NSA reported the flaw to Microsoft recently, and it’s recommending that enterprises patch it immediately or prioritize systems that host critical infrastructure like domain controllers, VPN servers, or DNS servers.

It’s unusual to see the NSA reporting these types of vulnerabilities directly to Microsoft, but it’s not the first time the government agency has done so. This is the first time the NSA has accepted attribution from Microsoft for a vulnerability report, though.

Independent infosec journalist Brian Krebs claims this disclosure will be the first of many for the NSA.

Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed “Turn a New Leaf,” aimed at making more of the agency’s vulnerability research available to major software vendors and ultimately to the public.

This would make somewhat sense, as part of the NSA’s official mission is to protect US computer systems. In reality, this mission has, so far, often been neglected in favour of finding zero-day vulnerabilities that can be used to attack others.

There is more information on the vulnerability and how it is patched in which specific version of Windows on Microsoft’s website. The NSA also has a security advisory on the vulnerability.

Windows 7 Reaches End of Life

With today’s Patch Tuesday, Windows 7 and Windows Server 2008 reach their end-of-life. From now on, there will be no more security updates for these operating systems – unless you are a volume licensing customer and pay Microsoft a lot of money. And even then, you should get off both of these operating systems as soon as possible now.

Windows 7 end-of-support arrives more than 10 years after the OS was released on Oct. 22, 2009. When the support period ends, technical assistance and software updates via Windows Update will no longer be available. Related Windows 7 services will be discontinued over time; the Electronic Program Guide for Windows Media Center, for one, will be shut down this month.

Some services will continue to receive support. Microsoft will continue to support its Edge browser for another 18 months, terminating support on July 15, 2021, at the earliest. Google will support Chrome on Windows 7 for the same time frame, the company confirmed last week.

Even though, there are still millions of PCs on Windows 7.

Windows 7 became so popular, in fact, that it took Windows 10 nearly four years just to pass it in market share. Even today, millions of PCs are still running Windows 7, and the operating system still runs on a massive 26 percent of all PCs according to data from Netmarketshare. Microsoft spent years trying to get people to upgrade to Windows 10 free of charge, but tens of millions of PCs will now be left vulnerable to exploits and security vulnerabilities.

Despite the end of support, Windows 7 looks like it has some life left in it yet. It could take another year or two to get Windows 7 firmly below 10 percent market share, especially when Google is committing to support Chrome on Windows 7 until at least the middle of 2021. That presents Microsoft with some headaches for ongoing support. We’ve already seen the software giant break with tradition multiple times for Windows XP, issuing public patches for the operating system after its end of support date. Given the increases in ransomware attacks in recent years and their devastating effects, it’s likely we’ll see public Windows 7 security patches in the future.

Don’t take that as an excuse, though. Get off Windows 7 NOW! That’s it …you have been warned. I don’t want to hear any whinging when you don’t listen and then your systems get hacked.

Amazon is Fighting Microsoft’s Department of Defense JEDI Contract in Court

In October, Microsoft won a $10 billion contract with the US Department of Defense (DoD) for the Pentagon’s new Joint Enterprise Defense Infrastructure (JEDI). Amazon was one of the contenders who lost out and clearly isn’t happy about it. They have now asked a court to block the deal from going any further.

The filing, on 13 January, sets up the lawyer paydays schedule for key dates including 11 February, when AWS and Microsoft’s lawyers have agreed to expect a court to decide on AWS’s motion for a temporary restraining order. A preliminary injunction is also possibly on the cards.

The significance of February – and the reason for the sped-up negotiated schedule – is that three days before Valentine’s, the $10bn mega-contract is supposed to begin, and, as the filing notes, “the United States has previously advised AWS and the Court it will begin on February 11, 2020,” reiterating that “the United States' consistent position that the services to be procured under the Contract are urgently needed in support of national security.”

Well, I guess we’ll see rather quickly how that one goes down.

Games Workshop Warns its Switching to Microsoft Dynamics 365

Games Workshop is changing their enterprise resource planning (ERP) software to Microsoft Dynamics 365 and is projecting there could be some business disruption because of that. So just be aware that your order of Sisters of Battle not getting shipped could actually be Microsoft’s fault.

In the Nottingham-HQ’d fiscal ‘20 half-year report released today for the period ended 1 December, Games Workshop lists significant dangers and uncertainties, including the three-letter acronym that has the potential to strike fear into the hearts of techies across the kingdom.

“We are changing our core ERP system in the UK, which is a complicated project with the risk of widespread business disruption if it is not implemented well. It is being implemented and managed by a strong internal project team and specialist ERP software consultants,” the report explained.

Fingers crossed the techies involved can keep it that way because ERP deployments are notoriously complex, and have a nasty habit of taking longer than expected and, in some cases, costing an arm and a leg.

And now come the part that should actually scare everyone:

“Following our move to a more agile methodology some phases of this complex project are now live with the remaining phases planned to go live in 2020,” it added.

If you ever worked in a company who has moved to an “agile methodology” you know what that means. Things will get a lot worse before they get better (if they ever do).

Games Workshop’s latest financial results show pre-tax profit rose to £58.6m for the six months, a 43 per cent gain versus the same period in 2018. Revenue grew 18 per cent to £148.4m. A business that is crossing the ERP chasm and not going into meltdown – now we really are in the realms of fantasy.


Interactive Map for Netflix’ The Witcher

I’ve seen The Witcher on Netflix twice now and I love it very much. The only criticism I have is that the timeline of the interwoven events is very confusing if you’ve never dug into the lore behind Sapkowski’s stories or the games from CD Projekt. If you’ve been confused by what happens when and in what order in the show, check out this amazing interactive map made by Netflix. It really is something to behold.

A compass has no great importance to a witcher. Stride ahead. Keep your ear to the ground and your eyes on the horizon. Time will give you the answers you seek.

Also Noteworthy

Some other stories that are worth a read:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.