1/ Insights from analyzing Chrome's patch for #curveball #cve20200601 to protect Chrome's users on vulnerable unpatched #Win10 machines
https://chromium-review.googlesource.com/c/chromium/src/+/1994434/6/net/cert/cert_verify_proc_win.cc …
-
-
-
See also
@KudelskiSec blog https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/ … “Although not entirely, as the system still detects that the root certificate is not the same as the one in the root CA store." - 2 more replies
New conversation -
-
-
How far does pinning mitigate?
-
If I understand the question correctly then app side mitigation can work, see Chrome's patch. Unpatched CryptVerifyCertificateSignatureEx() works fine.https://twitter.com/TalBeerySec/status/1218130314066845698?s=20 …
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.