So just an Authenticode bypass? Meh. As @taviso said, nothing like an RCE in PE parsing, not even sure what the NSA would do with this.
It might be a fun crypto vuln though!
-
-
Replying to @FiloSottile @taviso
if it requires privileged network active intercept and DNS spoofing for updates, it would be overblown. But as the Zen master said, We'll see...
1 reply 3 retweets 15 likes -
Replying to @kennwhite @taviso
Oh is Authenticode literally the only thing standing between the network and installing updates? Surely they connect via TLS to Microsoft or private network to corporate servers?
5 replies 1 retweet 8 likes -
Connected via TLS that is validated how exactly?
2 replies 1 retweet 40 likes -
Are you saying this affects X.509 validation?
1 reply 0 retweets 22 likes -
Indeed I am.
5 replies 5 retweets 84 likes -
Oooh, now, that's fun.
1 reply 1 retweet 55 likes -
Replying to @FiloSottile @wdormann and
Client cert or similar auth could make this very bad(tm) too....
1 reply 0 retweets 10 likes -
Replying to @dyn___ @FiloSottile and
I was thinking the same too. This could be more than network MITM if client side certificates can be spoofed.
1 reply 0 retweets 7 likes -
Replying to @farhanible @dyn___ and
So doesn’t make sense why it’s rated important and not critical. Unless client cert authentication isn’t affected.
3 replies 1 retweet 1 like
I wouldn't rely much on any particular vulnerability importance scoring system in the wild these days. For starters, they're often limited to scoring a vulnerability alone in a vacuum, as opposed to how it's likely to be used with its friends in the real world.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.