If you want to install the January Patch Tuesday patches, by all means, go right ahead. That said, I continue to recommend that you hold off installing the January Microsoft patches until we get a clearer reading on potential bugs.
The pro-patch-now argument generally goes something like this: Everybody is recommending that you install the patches to protect against the Crypto bug — almost all of the major security folks, the researchers, the big online sites, your local news station, your congresscritter, your neighbor’s nine-year-old, even the bleeping NSA. It’s a little patch. Why not just install it and be done with it?
Life’s not so simple. Microsoft has a horrible track record with updates. (You can see a month-by-month listing, going back 25 months, in this series of posts on Computerworld.) Some folks install the latest Microsoft updates like clockwork and never have a problem. But far too many Windows customers get bit. I’m still waiting to see if there are any big problems with the January crop.
The security folks, by and large, focus on one specific potential threat and don’t consider the rest of the picture. That’s understandable, but the big picture this month is very big indeed.
For many admins, this month’s Remote Desktop Gateway fix is much more important. Admins already have their plates full with Citrix vulnerabilities and the 334 security patches just dropped by Oracle. On a scale from one to ten, those are bonafide tens. The ChainOfFools/CurveBall CVE-2020-0601 threat? Not so much.
For those of you who aren’t guarding state secrets or corporate kickback schemes, the situation’s much simpler. There are several ChainOfFools/CurveBall Proof of Concept programs floating around. Saleem Rashid has a particularly entertaining one on GitHub. But they aren’t anywhere close to being widespread attacks.
They all suffer from a fatal flaw: Your machine has to pick up (“cache”) a specific good security certificate before that certificate can be attacked. So if the attacker is using a zapped version of the XYZ security certificate, say, you must first cache a good copy of the XYZ certificate. Current cracking attempts revolve around modifying a certificate that’s installed by default in Windows. We aren’t at crisis stage yet.
There are other hurdles a potential piece of CurveBall scumware faces:
- Windows 7, 8.1 and earlier versions aren’t susceptible. They don’t evaluate security certificates in a way that can be subverted by CVE-2010-0601.
- Certain browsers can’t be fooled. As of this writing, Firefox is immune (and always has been). When encountered with a malicious certificate, Edge throws a NET::ERR_CERT_AUTHORITY_INVALID error. Chrome was updated last night with a fix that’ll make it much harder to get bit.
- The latest updates to Windows Defender flag malicious CurveBall programs.
If you’re wondering whether your system is susceptible, Bojan and the folks at SANS have come up with a detailed analysis of attack patterns, and a website that you can use to see if your browser is vulnerable.
Go to https://curveballtest.com/index.html. The site will tell you immediately if your specific system, using that specific browser, is susceptible. Chances are very good you’ll see the OK screen, which looks like the screenshot.
Woody Leonhard/IDGOn my unpatched Win10 1809, 1903 and 1909 Pro systems, running Firefox, Chrome and Brave, I’m seeing “You Are Not Vulnerable” signs.
Of course, that doesn’t cover all possible infection routes. But it certainly plucks off the most obvious. And, again, we haven’t seen any “real” malware out in the wild.
My recommendation is that you install the January Patch Tuesday patches immediately only if you get a “You Are Vulnerable” response from the SANS test page. If you’re all clear, meh, stay out of the unpaid beta-testing pit and hold off on installing the January patches until we have a clearer picture of potential collateral damage.
We’re following closely on AskWoody.com.
