Don’t panic re this one.https://twitter.com/briankrebs/status/1216847668414222336 …
-
Show this thread
-
It's not an RCE, it's not EternalBlue etc etc.
5 replies 2 retweets 19 likesShow this thread -
Here's a question - do you use digital signatures as a key security boundary control? I can count on my left little finger the amount of orgs that do. Patch your Citrix, Fortigate, Pulse Secure SSL VPN boxes and your 11 month old SharePoint vuln. And turn off SMB1.
7 replies 31 retweets 128 likesShow this thread -
There’s a bit more info here, the MS patches drop in about half an hour. Btw it doesn’t apply to Win7, 2008.https://www.bbc.com/news/technology-51106356 …
6 replies 12 retweets 43 likesShow this thread -
The Microsoft advisory is out now. 1) it’s only rated Important 2) it’s a spoofing issue 3) to get RCE with it you would need auth, and to have code exec already The NSA did a big press tour so before announcement so expect big media play. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 …
7 replies 36 retweets 80 likesShow this thread -
Replying to @GossiTheDog
You are underestimating what can be done and I’m not really in a position to provide details.
2 replies 3 retweets 11 likes -
Replying to @dakami
There is, of course, extra theoretical attack scenarios and issues for some orgs. But the same with Meltdown. Keep calm and patch.
1 reply 1 retweet 2 likes -
Replying to @GossiTheDog
No. This is reliable by-design remote bug land. I’ve exploited this space before (Google PKI Layer Cake) and this is much more powerful. I see *why* you think this. The remote RCE takes a few hops. It’s just a super generic target.
2 replies 2 retweets 11 likes -
-
Replying to @GossiTheDog
Like I said, they gave my bug an Important too. Sometimes you also trust the NSA.
3 replies 0 retweets 13 likes
Will Dormann Retweeted Will Dormann
Will Dormann added,
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.