Daxdi now accepts payments with Bitcoin

Bad Flaw in Windows 10 Also Affects Chrome Browser

The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system; it can also help disguise hacking attempts on Google's Chrome browser.

On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw, CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.

One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which was first reported by Ars Technica.

Thanks to the vulnerability, Google's browser will mistakenly interpret the certificate as valid when in reality it's a fake.

The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the certificates, Yolan Romailler at Kudelski Security, told Daxdi.

Unfortunately, the same API has a serious bug on vetting elliptic curve cryptography.

On Tuesday, Microsoft warned that you can actually rig a certificate to trick the system into thinking it's real and from a trusted source.

That has security experts, including officials at the NSA, alarmed.

In the wrong hands, the flaw could help hackers create official-looking websites, when in reality they've been designed to steal your information.

Romailler has created a proof-of-concept anyone can visit to see the flaw in action.

Using a vulnerable Windows 10 machine, Daxdi tried it and the demo does work on Chrome as well as Microsoft's Edge browser, but not on Firefox, which will display an connection error when the test site is loaded up.

Although the flaw is disturbing, it's important to note that hackers have been successfully duping victims with lookalike phishing websites for decades now, without exploiting flaws in Windows' CryptoAPI.

The real threat is if an adversary, like a foreign government or elite nation-state hackers, controls an internet network.

The adversary could secretly stage a "man-in-the-middle attack" by intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.

An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com were briefly re-directed to a lookalike site on the same domain.

Thankfully, users were tipped off because their browsers failed to return a trusted digital certificate.

However, the CryptoAPI bug threatens to undermine this important safeguard.

Recommended by Our Editors

The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to Windows 10 users who have automatic updates turned on.

According to Ars Technica, Google is also working on a fix for the Chrome browser that's already available in the beta versions.

On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code.

However, to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the browser's cache.

This can be done simply by directing the browser to first visit a separate website with the root certificate before engaging in the spoofing attack.

The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system; it can also help disguise hacking attempts on Google's Chrome browser.

On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw, CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.

One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which was first reported by Ars Technica.

Thanks to the vulnerability, Google's browser will mistakenly interpret the certificate as valid when in reality it's a fake.

The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the certificates, Yolan Romailler at Kudelski Security, told Daxdi.

Unfortunately, the same API has a serious bug on vetting elliptic curve cryptography.

On Tuesday, Microsoft warned that you can actually rig a certificate to trick the system into thinking it's real and from a trusted source.

That has security experts, including officials at the NSA, alarmed.

In the wrong hands, the flaw could help hackers create official-looking websites, when in reality they've been designed to steal your information.

Romailler has created a proof-of-concept anyone can visit to see the flaw in action.

Using a vulnerable Windows 10 machine, Daxdi tried it and the demo does work on Chrome as well as Microsoft's Edge browser, but not on Firefox, which will display an connection error when the test site is loaded up.

Although the flaw is disturbing, it's important to note that hackers have been successfully duping victims with lookalike phishing websites for decades now, without exploiting flaws in Windows' CryptoAPI.

The real threat is if an adversary, like a foreign government or elite nation-state hackers, controls an internet network.

The adversary could secretly stage a "man-in-the-middle attack" by intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.

An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com were briefly re-directed to a lookalike site on the same domain.

Thankfully, users were tipped off because their browsers failed to return a trusted digital certificate.

However, the CryptoAPI bug threatens to undermine this important safeguard.

Recommended by Our Editors

The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to Windows 10 users who have automatic updates turned on.

According to Ars Technica, Google is also working on a fix for the Chrome browser that's already available in the beta versions.

On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code.

However, to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the browser's cache.

This can be done simply by directing the browser to first visit a separate website with the root certificate before engaging in the spoofing attack.

Daxdi

pakapuka.com Cookies

At pakapuka.com we use cookies (technical and profile cookies, both our own and third-party) to provide you with a better online experience and to send you personalized online commercial messages according to your preferences. If you select continue or access any content on our website without customizing your choices, you agree to the use of cookies.

For more information about our cookie policy and how to reject cookies

access here.

Preferences

Continue