1. 18
  1.  

  2. 2

    Essentially the problem allows an attacker to convince the elliptic curve code to use non-standard or broken curves for verification and encryption operations. This impacts malware protections and most other critical forms of authentication.

    1. 1

      not sure if this is correct but: i can’t safely update the affected systems as the connection to the update hosts may be compromised, with signatures not working too?

      1. 2

        SwiftOnSecurity claims that Windows Update is not vulnerable:

        https://twitter.com/SwiftOnSecurity/status/1217265731152289792

        1. 1

          thanks for the link! would be interesting to have some design docs for this.

          1. 1

            The vulnerability is specific to elliptic curve cryptography. According to Twitter, Windows Update uses RSA as well.

      2. 1

        Wistfully remembers the time before he was a sysadmin when this just meant checking his laptop to make sure it updated and then moving on with his life.

        1. 1

          Krebs on Security had some hints something interesting was in this patch pack:

          https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/