[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [Dailydave] More info on SSLMAGEDON

To: cpunks <[email protected]>
Subject: Fwd: [Dailydave] More info on SSLMAGEDON
From: [email protected] (coderman)
Date: Mon, 17 Nov 2014 10:06:11 -0800
In-reply-to: <[email protected]>
References: <[email protected]>

---------- Forwarded message ----------
From: Dave Aitel <[email protected]>
Date: Mon, 17 Nov 2014 10:59:50 -0500
Subject: [Dailydave] More info on SSLMAGEDON

Our friends at BeyondTrust have a page on the bug now:
http://blog.beyondtrust.com/triggering-ms14-066

One thing I think people are missing is that this bug works by default
on Windows 7 and above. You can force a client cert down Window's
throat, which triggers the vulnerability regardless of configuration
settings. Of course, what you do next, is the fun part. Immunity's
researchers are investigating many techniques, one of which is to attack
the crypto variables directly. This may allow a Heartbleed-or-worse
style exploitation without code execution at all...

Prev by Date: Doing HTTPS everywhere in the .gov space
Next by Date: G20: Bank deposits not money but paper investments, BTC, Cyprus
Previous by thread: Call for publication of all Snowden papers gets louder
Next by thread: G20: Bank deposits not money but paper investments, BTC, Cyprus
Index(es):
- Date
- Thread