|
@taviso | |||||
|
Will confirms all X.509 validation broken, not just code signing. Okay, I'm back on the hype train, that's pretty bad. twitter.com/wdormann/statu…
|
||||||
|
||||||
|
Dan Goodin
@dangoodin001
|
14. sij |
|
Any thoughts on why Microsoft rates it as important and not critical.
|
||
|
||
|
|
Tavis Ormandy
@taviso
|
14. sij |
|
It seems consistent with their scale, it means https is broken, not iis remote shell. Still, if you can't make exceptions for things like this, then maybe the scale is broken.
|
||
|
|
||
|
Jonathan Leitschuh → ShmooCon
@JLLeitschuh
|
14. sij |
|
The implications here are TLS certificate verification bypassing thus enabling a MITM? Or am I missing something?
|
||
|
|
||
|
Wes
@weskerfoot
|
14. sij |
|
Yes, or any other way you want to tamper with code signing, etc. Anything that relies on certificate chains being valid.
|
||
|
|
||
|
Ug_0 Security
@Ug_0Security
|
14. sij |
|
i.. am.. confused.. pic.twitter.com/0VwhKqlZw7
|
||
|
|
||
|
Rob Rosenberger
@vmyths
|
14. sij |
|
|
||
|
Maik Musall
@maikm
|
14. sij |
|
That is some first class timing right after Win7 no longer receiving updates.
|
||
|
|
||
|
Fotis
@fotisl
|
15. sij |
|
From portal.msrc.microsoft.com/en-US/security… : "A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software."
|
||
|
|
||
|
(ca)sey
@verbumrosini
|
14. sij |
|
|
||
|
⬡liver
@OVollmer
|
14. sij |
|
Lol the MSRC site must be overloaded right now, it's taking forever to load
|
||
|
|
||