• Is your system susceptible to a ChainOfFools/CurveBall CVE-2020-0601 attack?

    There’s a simple SANS test to see if your particular browser, running on your particular machine, is susceptible. That doesn’t cover all possibilities, but it’s certainly indicative.

    Detailed discussion in Computerworld Woody on Windows.

    We’re still at MS-DEFCON 2. Unless your system, specifically, triggers a “You Are Vulnerable” warning in the SANS test, I recommend that you wait to patch.

    UPDATE: Some scary stuff from Benjamin Delpy, @gentlekiwi. He’s come up with a scenario where a malicious Word VBA macro can run, if you set VBA to “Disable all macros except digitally signed” and your machine has cached the Microsoft ECC Product Root Certificate Authority 2018 cert. His example requires you to manually activate the macro – but it’s still scary.

    UPDATE: Lawrence Abrams at BleepingComputer has a detailed account of various devious methods that bypass normal certificate validation, thanks to CVE-2020-0106.