Worried about an NSA ChainOfFools/CurveBall attack? There are lots of moving parts. Test your system.

If you want to install the January Patch Tuesday patches, by all means, go right ahead. That said, I continue to recommend that you hold off installing the January Microsoft patches until we get a clearer reading on potential bugs.

The pro-patch-now argument generally goes something like this: Everybody is recommending that you install the patches to protect against the Crypto bug — almost all of the major security folks, the researchers, the big online sites, your local news station, your congresscritter, your neighbor’s nine-year-old, even the bleeping NSA. It’s a little patch. Why not just install it and be done with it?

Life’s not so simple. Microsoft has a horrible track record with updates. (You can see a month-by-month listing, going back 25 months, in this series of posts on Computerworld.) Some folks install the latest Microsoft updates like clockwork and never have a problem. But far too many Windows customers get bit. I’m still waiting to see if there are any big problems with the January crop.

The security folks, by and large, focus on one specific potential threat and don’t consider the rest of the picture. That’s understandable, but the big picture this month is very big indeed.

For many admins, this month’s Remote Desktop Gateway fix is much more important. Admins already have their plates full with Citrix vulnerabilities and the 334 security patches just dropped by Oracle. On a scale from one to ten, those are bonafide tens. The ChainOfFools/CurveBall CVE-2020-0601 threat? Not so much.

For those of you who aren’t guarding state secrets or corporate kickback schemes, the situation’s much simpler. There are several ChainOfFools/CurveBall Proof of Concept programs floating around. Saleem Rashid has a particularly entertaining one on GitHub. But they aren’t anywhere close to being widespread attacks.

Copyright © 2020 IDG Communications, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *