VIP News
  • Bad Flaw in Windows 10 Also Affects Chrome Browser
    Time: Jan. 19, 2020

     

    Security researchers are demonstrating how you can use the Windows 10 flaw, CVE-2020-0601,

    to spoof the trusted digital certificates for official website domains on Google's Chrome browser.

    These same certificates can warn you about hacking attempts.

     

     

     

     

    The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system;

    it can also help disguise hacking attempts on Google's Chrome browser.

     

    On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw,

    CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.

     

    One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which

    was first reported by Ars Technica. Thanks to the vulnerability, Google's browser will mistakenly

    interpret the certificate as valid when in reality it's a fake.

     

     

     

     

    The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the

    certificates, Yolan Romailler at Kudelski Security. Unfortunately, the same API has a serious bug

    on vetting elliptic curve cryptography.

     

    That has security experts, including officials at the NSA, alarmed. In the wrong hands, the flaw

    could help  hackers create official-looking websites, when in reality they've been designed to steal

    your information. Romailler has created a proof-of-concept anyone can visit to see the flaw in action. 

     

    Although the flaw is disturbing, it's important to note that hackers have been successfully duping

    victims with lookalike phishing websites for decades now, without exploiting flaws in Windows'

    CryptoAPI. The real threat is if an adversary, like a foreign government or elite nation-state hackers,

    controls an internet network. The adversary could secretly stage a "man-in-the-middle attack" by

    intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.

     

     

     

     

    An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com

    were briefly re-directed to a lookalike site on the same domain. Thankfully, users were tipped off because

    their  browsers failed to return a trusted digital certificate. However, the CryptoAPI bug threatens to undermine

    this important safeguard.

     

    The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to

    Windows 10 users who have automatic updates turned on. According to Ars Technica, Google is also

    working on a fix for the Chrome browser that's already available in the beta versions.

     

    On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code. However,

    to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the

    browser's cache. This can be done simply by directing the browser to first visit a separate website with the

    root certificate before engaging in thespoofing attack.