Saltar al contenido

Worried about an NSA ChainOfFools / CurveBall attack? There are many moving parts. Test your system.

It's not too late to get an Extended Security Update license for Windows 7

While many researchers recommend that you install the Microsoft Patch January updates to defend yourself against an attack that wasn’t yet imminent from security hole CVE-2020-0601, skeptics who are concerned about Windows buggy updates can now check your systems. independent. Thanks to SANS, it’s easy.

If you want to install the Patch Tuesday Patch January, of course, continue. That being said, I still recommend that you postpone the installation of Microsoft patches from January until we get a clearer reading of possible errors.

The pro-patch-now argument usually goes something like this: everyone recommends that you install patches to protect yourself against the Crypto bug: almost every major security officer, researchers, large online sites, local news station , your congressional writer, your new neighbor – a one-year-old son, even the NSA beep. It’s a small patch. Why not just install it and finish it?

Life is not that simple. Microsoft has a horrible experience with updates. (You can see a month-by-month list that goes back 25 months.) Some people install the latest updates from Microsoft, such as clock mechanisms, and never have a problem. But too many Windows clients are affected. I’m still waiting to see if there are any major problems with the January harvest.

Security people generally focus on a potential specific threat and do not consider the rest of the landscape. It’s understandable, but the big picture for this month is really quite big.

For many administrators, this month’s RD Gateway fix is ​​much more important. Administrators are already full of vulnerabilities in Citrix and the 334 security patches that Oracle has just released. On a scale of one to ten, these are real tens. The threat of ChainOfFools / CurveBall CVE-2020-0601? Not so much.

For those of you who do not keep state secrets or corporate bribery schemes, the situation is much simpler. There are several ChainOfFools / CurveBall trial programs floating around. Saleem Rashid has a great time on GitHub. But they are far from widespread attacks.

Everyone suffers from a fatal defect: your machine must collect («cache») a good specific security certificate before that certificate can be attacked. So, if the attacker uses a deleted version of the XYZ security certificate, for example, he must first cache a good copy of the XYZ certificate. Current crack attempts revolve around modifying a certificate installed by default in Windows. We are not yet in a stage of crisis.

There are other obstacles that a potential piece of CurveBall slag faces:

Windows 7, 8.1 and earlier are not susceptible. They do not evaluate security certificates in a way that could be subverted by CVE-2010-0601.

Some browsers are not fooled. At the time of writing, Firefox is immune (and always has been). When it encounters a malicious certificate, Edge throws a NET :: ERR_CERT_AUTHORITY_INVALID error. Chrome was updated last night with a solution that will make the bite much more difficult.

The latest Windows Defender updates point to CurveBall malware.

If you’re wondering if your system is susceptible, Bojan and the people at SANS have developed a detailed analysis of attack patterns and a website that you can use to see if your browser is vulnerable.

Go to https://curveballtest.com/index.html. The site will tell you immediately if your specific system, using that specific browser, is susceptible. You will most likely see the OK screen, which looks like the screenshot.


On my unexecuted Win10 1809, 1903 and 1909 Pro systems running Firefox, Chrome and Brave, I see the «You are not vulnerable» sign.

Of course, this does not cover all possible routes of infection. But it certainly reveals the obvious. And again, I didn’t see any «real» malware in the wild.

My recommendation is to install the January patches immediately Patch only if you receive a «You are vulnerable» response on the SANS test page. If it’s clear, mah, move away from the unpaid beta test pit and wait to install the January patches until we have a clearer picture of potential collateral damage.