Hello, welcome to the Wednesday, January 15th, 2020 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

Well, of course, Patch Tuesday, the big topic today. And at first, it actually doesn't look all that bad if you're just looking

at the numbers we had a total of 49 one at least that were patched today and eight of them

are rated criticals none of them were publicly disclosed before today and none of them have

been exploited in the wild so far.

But of course these last couple days we had all these pre-announcements, rumors about a critical

vulnerability in the crypto API, and yes, this was one of the big patches that Microsoft released today.

So the problem here is how the crypto API in Windows does validate Liptic curve certificates.

So whenever a system receives a certificate, it has to check if the certificate is properly signed by a

trusted certificate authority. And that sort of where things go wrong here. An attacker could

create a certificate that appears to be validly signed by a trusted set of authority, but in fact isn't.

So the end effect is that that hacker can essentially create arbitrary certificates that appear valid.

Now arbitrary as long as they're elliptic curve certificates.

Leptic curve certificates are still, I would say, less common than the older RSA certificates.

They're a bit more modern, they're more efficient, and the world is certainly moving away

from RSA somewhat towards the elliptic curve certificates.

Probably the best way to illustrate the impact of this issue is to just go through some cases where certificates

matter.

And I put this a little bit in the diary, but just knew you're receiving an email from a vendor

telling you about an update.

Well, if the vendor did their job right, then they digitally signed this email.

...