Saleem Rashid shows that a patch for a security bug in Windows 10 and Windows Server 2016/2019 could be exploited in the real world to spoof security certificates on machines without the patch.
This week Microsoft was forced to quickly patch a security bug in Windows 10 and Windows Server 2016/2019 that could have allowed attackers to spoof legitimate security certificates as a way of gaining control of an infected PC. Microsoft was prompted to act after the NSA discovered and privately reported the bug, which was evidence of a serious flaw in the way the latest versions of Windows and Windows Server check the validity of certain security certificates.
Releasing the fix on January 14 as part of its monthly Patch Tuesday lineup, Microsoft labeled the patch an "Important" update rather than a "Critical" update, presumably because the company said it hadn't found any real-world examples in which the vulnerability had been exploited.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
But now, a security researcher has shown just how the flaw could be exploited in the real world.
In a tweet on Wednesday researcher Saleem Rashid, showed images of his exploit of the bug in Google Chrome and Microsoft Edge. The images show Rashid using a process known as "rickrolling," which creates a link to a supposedly legitimate website but actually redirects the user to a music video of the song "Never Gonna Give You Up" by singer Rick Astley. The process is used to show how someone can be tricked into clicking on a link that leads to somewhere unexpected and potentially malicious.
The Windows vulnerability, which has been labeled CVE-2020-0601, would allow someone to spoof a legitimate security certificate, which could then make a malicious site appear as trusted due to the phony certificate. Specifically, the vulnerability is the result of a flaw in the Elliptic Curve Cryptography (ECC) Microsoft used in its code for Windows 10 and Windows Server 2016 and 2019.
In his testing, Rashid was able to take advantage of the vulnerability by cooking up code to create phony security certificates as a way to spoof the secure and verified websites of Github and the National Security Agency. Without Microsoft's patch, the vulnerability can be exploited in Chrome, Edge, and Internet Explorer, but seemingly not Firefox.
A spokeperson for Google confirmed that Chrome users are protected with the latest Microsoft patch but that Google is rolling out an update to its browser to further secure it.
"What Saleem just demonstrated is: With [a short] script you can generate a cert for any website, and it's fully trusted on IE and Edge with just the default settings for Windows," Kenn White, a researcher and security principal at MongoDB, told Ars Technica. "That's fairly horrifying. It affects VPN gateways, VoIP, basically anything that uses network communications."
If exploited, the bug can let an attacker perform Man-in-the-Middle attacks, intercept and spoof HTTPS connections, fake signatures for files and emails, and fake signed executable code launched inside Windows.
So far, Rashid has not published the code he used to exploit the flaw. However, others have jumped on that bandwagon. Security firm Kudelski Security has published the code via GitHub, while a Danish security researcher named Ollypwn did the same. In a blog post, Kudelski Security explained why it released the code publicly and how it would work to exploit the vulnerability.
SEE: Patch management policy (TechRepublic Premium)
On the positive side, Kudelski Security also said that exploiting the flaw is not something the average hacker or cybercriminal would be able to achieve.
"In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware," the security firm said. "While it is still a big problem because it could have allowed a Man-in-the-Middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.
"This is why we are releasing this PoC [Proof of Concept], the exploitability of this vulnerability is not good enough to lead to a sudden ransomware threat (unlike the one we had with Wannacry)," Kudelski Security added. "This is also probably why the NSA decided not to weaponize their finding, but to rather disclose it: For them it is best to have the USA patched rather than to keep it and take the risk of it being used against the USA, as the attack surface is so vast."
Ultimately, however, the best defense is to update affected Windows PCs and servers with Microsoft's patch to make sure those machines are fully protected against this latest threat.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)