{"id":17474,"date":"2020-01-17T08:30:16","date_gmt":"2020-01-17T16:30:16","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2020\/01\/17\/news-11209\/"},"modified":"2020-01-17T08:30:16","modified_gmt":"2020-01-17T16:30:16","slug":"news-11209","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/17\/news-11209\/","title":{"rendered":"Worried about an NSA ChainOfFools\/CurveBall attack? There are lots of moving parts. Test your system."},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 17 Jan 2020 06:42:00 -0800<\/strong><\/p>\n

If you want to install the January Patch Tuesday patches, by all means, go right ahead. That said, I continue to recommend that you hold off installing the January Microsoft patches until we get a clearer reading on potential bugs.<\/span><\/p>\n

The pro-patch-now argument generally goes something like this: <\/span>Everybody<\/i><\/strong> is recommending that you install the patches to protect against the Crypto bug \u2014 almost all of the major security folks, the researchers, the big online sites, your local news station, your congresscritter, your neighbor’s nine-year-old, even the bleeping NSA. It’s a little patch. Why not just install it and be done with it?<\/span><\/p>\n

Life’s not so simple. Microsoft has a horrible track record with updates. (You can see a month-by-month listing, going back 25 months, in<\/span> this series of posts<\/span><\/a> on Computerworld<\/em>.) Some folks install the latest Microsoft updates like clockwork and never have a problem. But far too many Windows customers get bit. I\u2019m still waiting to see if there are any big problems with the January crop.<\/span><\/p>\n

The security folks, by and large, focus on one specific potential threat and don’t consider the rest of the picture. That\u2019s understandable, but the big picture this month is very big indeed. <\/span><\/p>\n

For many admins, this month’s Remote Desktop Gateway fix is<\/span> much more important<\/span><\/a>. Admins already have their plates full with<\/span> Citrix vulnerabilities<\/span><\/a> and the 334 security patches just<\/span> dropped by Oracle<\/span><\/a>. On a scale from one to ten, those are bonafide tens. The ChainOfFools\/CurveBall CVE-2020-0601 threat? Not so much.<\/span><\/p>\n

For those of you who aren’t guarding state secrets or corporate kickback schemes, the situation’s much simpler. There are several ChainOfFools\/CurveBall Proof of Concept programs floating around. Saleem Rashid has a particularly<\/span> entertaining one on GitHub<\/span><\/a>. But they aren’t anywhere close to being widespread attacks.<\/span><\/p>\n

They all suffer from a fatal flaw: Your machine has to pick up (“cache”) a specific good security certificate before that certificate can be attacked. So if the attacker is using a zapped version of the XYZ security certificate, say, you must first cache a good copy of the XYZ certificate. Current cracking attempts revolve around modifying a certificate that\u2019s installed by default in Windows. We aren’t at crisis stage yet.<\/span><\/p>\n

There are other hurdles a potential piece of CurveBall scumware faces:<\/span><\/p>\n

If you\u2019re wondering whether your system is susceptible, Bojan and the folks at SANS have come up with a detailed <\/span>analysis of attack patterns<\/span><\/a>, and a website that you can use to see if your browser is vulnerable.\u00a0<\/span><\/p>\n

Go to <\/span>https:\/\/curveballtest.com\/index.html<\/span><\/a>. The site will tell you immediately if your specific system, using that specific browser, is susceptible. Chances are very good you\u2019ll see the OK screen, which looks like the screenshot.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

On my unpatched Win10 1809, 1903 and 1909 Pro systems, running Firefox, Chrome and Brave, I\u2019m seeing \u201cYou Are Not Vulnerable\u201d signs.<\/span><\/p>\n

Of course, that doesn\u2019t cover all possible infection routes. But it certainly plucks off the most obvious. And, again, we haven\u2019t seen any \u201creal\u201d malware out in the wild.<\/span><\/p>\n

My recommendation is that you install the January Patch Tuesday patches immediately only if you get a \u201cYou Are Vulnerable\u201d response from the SANS test page. If you\u2019re all clear, meh, stay out of the unpaid beta-testing pit and hold off on installing the January patches until we have a clearer picture of potential collateral damage.<\/span><\/p>\n

We\u2019re following closely <\/span>on AskWoody.com<\/span><\/a>.\u00a0<\/span><\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Fri, 17 Jan 2020 06:42:00 -0800<\/strong><\/p>\n

\n
\n

If you want to install the January Patch Tuesday patches, by all means, go right ahead. That said, I continue to recommend that you hold off installing the January Microsoft patches until we get a clearer reading on potential bugs.<\/span><\/p>\n

The pro-patch-now argument generally goes something like this: <\/span>Everybody<\/i><\/strong> is recommending that you install the patches to protect against the Crypto bug \u2014 almost all of the major security folks, the researchers, the big online sites, your local news station, your congresscritter, your neighbor’s nine-year-old, even the bleeping NSA. It’s a little patch. Why not just install it and be done with it?<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-17474","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17474","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17474"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17474\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17474"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}