undefined | Better HN

0 pointsrst6y ago0 comments

The pseudonymous but well-connected 'swiftonsecurity' twitter account reports on background that 'RCE' chatter about this particular vulnerability does indeed relate to compromised software update channels. (Not just AuthentiCode, but also MITM on, say, connections to the npm package server.) See https://twitter.com/SwiftOnSecurity/status/12171594348808478...

That said, this same patch set also has a separate pre-auth RCE on Microsoft's Remote Desktop Gateway, which has been documented as CVE-2020-0609 (not ...-0601). See https://www.kb.cert.org/vuls/id/491944/

0 comments

est316y ago

> connections to the npm package server

Doesn't npm use node.js for this, which uses openssl?

> https://nodejs.org/api/tls.html#tls_tls_ssl

Third party tools connecting to the npm server that use Window's TLS library would absolutely be affected though.

thw0rted6y ago

I suspect the answer is "it's complicated". For example, you can specify a package version string as `git://...` and it will grab the package from a git repository. It's possible that this uses a JS-native Git implementation, but it's also possible that it uses a locally-installed Git binary, which could in turn use MSCAPI, especially if it's configured to use an external SSH provider.

est316y ago

That's a good point. I'm not too familiar with npm code but it seems that they are indeed using git from the CLI instead using it via a library: https://github.com/npm/cli/blob/ba7f1466436cc22e27f8a14dede3...

j / k navigate · click thread line to collapse

0 pointsrst6y ago0 comments

0 comments

est316y ago

> connections to the npm package server

Doesn't npm use node.js for this, which uses openssl?

> https://nodejs.org/api/tls.html#tls_tls_ssl

Third party tools connecting to the npm server that use Window's TLS library would absolutely be affected though.

thw0rted6y ago

est316y ago

j / k navigate · click thread line to collapse