“The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature”https://www.washingtonpost.com/national-security/nsa-found-a-dangerous-microsoft-software-flaw-and-alerted-the-firm--rather-than-weaponize-it/2020/01/14/f024c926-3679-11ea-bb7b-265f4554af6d_story.html …
-
-
Replying to @kennwhite
So just an Authenticode bypass? Meh. As
@taviso said, nothing like an RCE in PE parsing, not even sure what the NSA would do with this. It might be a fun crypto vuln though!2 replies 2 retweets 13 likes -
Replying to @FiloSottile @taviso
if it requires privileged network active intercept and DNS spoofing for updates, it would be overblown. But as the Zen master said, We'll see...
1 reply 3 retweets 15 likes -
Replying to @kennwhite @taviso
Oh is Authenticode literally the only thing standing between the network and installing updates? Surely they connect via TLS to Microsoft or private network to corporate servers?
5 replies 1 retweet 8 likes -
Connected via TLS that is validated how exactly?
2 replies 1 retweet 40 likes -
Are you saying this affects X.509 validation?
1 reply 0 retweets 22 likes -
Indeed I am.
5 replies 5 retweets 84 likes -
Replying to @wdormann @FiloSottile and
A big thing I've not found in any writeup is a list of which major browsers use the affected windows crypto libraries and are therefore also vulnerable to MITM attacks until you update windows. Firefox uses NSS - does that mean it is not susceptible? What about Chrome, Edge, etc?
1 reply 0 retweets 1 like -
Replying to @aggieNick02 @FiloSottile and
Chrome uses the affected library. As do Edge and IE. To be honest, Firefox is the only Windows browser I'm aware of at the moment that rolls their own crypto.
2 replies 1 retweet 3 likes -
Replying to @wdormann @aggieNick02 and
I'm seeing Mozilla source that indications they use the "CertGetCertificateChain" function https://github.com/mozilla/gecko-dev/search?q=certgetcertificatechain&unscoped_q=certgetcertificatechain …
1 reply 0 retweets 1 like
Indeed, but only for the optional (not on by default) enterprise root support feature. https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.