Essentially the problem allows an attacker to convince the elliptic curve code to use non-standard or broken curves for verification and encryption operations. This impacts malware protections and most other critical forms of authentication.
not sure if this is correct but: i can’t safely update the affected systems as the connection to the update hosts may be compromised, with signatures not working too?
SwiftOnSecurity claims that Windows Update is not vulnerable:
thanks for the link! would be interesting to have some design docs for this.
The vulnerability is specific to elliptic curve cryptography. According to Twitter, Windows Update uses RSA as well.
Wistfully remembers the time before he was a sysadmin when this just meant checking his laptop to make sure it updated and then moving on with his life.
Krebs on Security had some hints something interesting was in this patch pack: