A vulnerability in Windows 10 means that users can no longer trust that they are visiting a legitimate domain and that dangerous software can be provided with reliable certificates. A researcher has already shown that this is not difficult.
A large Windows 10 hole ensures that attackers can spoof certificates and thus act as a legitimate source. To demonstrate how easy that is, a security researcher deployed an exploit to simulate the websites of both the NSA and Github and play the well-known Rick Astley video on it.
Ars Technica reports that researcher Saleem Rashid used the crypto vulnerability in Windows 10 to spoof domains NSA.gov (discoverer and reporter of the hole) and Github.com in browser Chrome and Microsoft’s own browser Edge as if they were legitimate domains. He reports on Twitter Firefox is insensitive to the attack.
CVE-2020-0601 pic.twitter.com/8tJsJqvnHj
– Saleem Rashid (@ saleemrash1d)
January 15, 2020
The attack method for the Windows 10 hole requires a Man in the Middle technique and is therefore not as critical as Microsoft. The patch for the hole itself is considered important by Microsoft and not Critical. The opinions of security officers vary whether Microsoft underestimates the problem or whether the NSA has unleashed a hype.
The NSA, who informed Microsoft and revealed his role with Patch Tuesday, stated this week that use of the hole is easy and exploits would appear soon. Security journalist Brian Krebs also drew that conclusion and Ars also cites various security guards who claim that the problem is bigger than Microsoft seems to realize.
Whatever the case, it’s probably a good idea to patch your Windows 10 system quickly. You download the update via Settings> Update and security> Windows Update> Check for updates. If that does not work, or if you want to check whether your PC is patched, then read this article from yesterday in which we explain it in detail.