• The morning after — I recommend that you hold off on installing this month’s patches

    Yes, I know that everyone + brother is now chanting, “Patch, patch, patch!” in response to the NSA-revealed Win10 Crypt32 security hole.

    I say it’s still too early for most Windows users to patch. There aren’t any widely-available exploits, and no large scale attack is imminent. Better to keep your head about you. Let’s see how the patches shake out.

    If you’re in charge of a Server 2012, 2012 R2, 2016 or 2019 based network, and you’re running RDgateway, the story’s much more complicated. See Susan’s post, next, for details.

    We’re still at MS-DEFCON 2, in spite of what the NSA says. (And everybody else, for that matter.)

    Details in Computerworld Woody on Windows.

    By the way, those concerned about CVE-2020-0601 being used to break Windows Update… it ain’t gonna happen. See this Twitter thread. Also, this tweet from Tero Alhonen, quoting yesterday’s Microsoft Security Webcast: “The Crypto API vulnerability could not exploit or in anyway remove the trustworthiness of Windows Update. Windows Updates as you know are multiply signed and it’s not possible to spoof Windows Update binaries using the Crypto API vulnerability.”

    UPDATE: Great explainer from Tal Be’ery on Zengo: Cheating in Elliptic Curve Billiards.

    UPDATE: Saleem Rashid has posted a working Proof of Concept for the Chrome (and presumably Chredge) browser. It throws a NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED error.