ISC StormCast for Thursday, January 16th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 16 January 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, January 16th, 2020 edition of the Sandcent Storm Center's Stormcast. |
| 0:08.2 | My name is Johannes Ulrich. |
| 0:09.6 | And today I'm recording from Jacksonville, Florida. |
| 0:14.1 | Quick follow up on the CVE 2020-601 vulnerability. |
| 0:20.7 | That's the Crypto API Elliptic Curve Certificate issue. CVE 2000, 2010-601 vulnerability. |
| 0:24.8 | That's the Crypto API Elliptic Curve Certificate issue. |
| 0:31.7 | Now, we had a webcast today with Jake Williams, just summarizing some of the issues here. |
| 0:37.2 | Since I spoke yesterday, there's sort of a couple things that came up. First of all, there are a number of researchers |
| 0:39.1 | that have produced sort of proof of concept exploits, but none of them has published them so far as |
| 0:46.9 | I'm aware. There is one blog post that really goes over all the details and what's going on here. |
| 0:53.2 | The vulnerability is subtle, I would call it. |
| 0:56.8 | It's not one of those things like the famous Apple go-to-fail vulnerability from a couple |
| 1:02.6 | years ago where part of the verification code just wasn't run. |
| 1:08.3 | I think the big question that everybody is sort of waiting for, how would an attacker |
| 1:13.0 | actually practically weaponize this vulnerability? In the end, the attacker still essentially has to |
| 1:20.3 | get you to go to a website, has to get you to download some binary and execute it. So that's a bit the hard part here. And probably one of the big things that I think I mentioned yesterday, but Windows update is not vulnerable here. Also, a lot of the other update processes, but it's a little bit hit and miss, may or may not be vulnerable depending on whether |
| 1:45.0 | they do certificate pinning or not. Given that this is not terribly difficult to exploit, I would |
| 1:51.4 | definitely still recommend that you should expedite patching and hopefully have things patched by |
| 1:58.4 | the end of this week. I know this is aggressive for a lot of enterprises. |
| 2:04.5 | I published a little follow-up diary today with an answer to many of the questions we got during |
| 2:10.6 | the webcast. I'll probably actually meant that a little bit tomorrow. I still haven't gotten all |
| 2:16.4 | the questions from the webcast already together and integrated. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.