Bad Flaw in Windows 10 Also Affects Chrome BrowserTime: Jan. 19, 2020
Security researchers are demonstrating how you can use the Windows 10 flaw, CVE-2020-0601,
to spoof the trusted digital certificates for official website domains on Google's Chrome browser.
These same certificates can warn you about hacking attempts.
The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system;
it can also help disguise hacking attempts on Google's Chrome browser.
On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw,
CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.
One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which
was first reported by Ars Technica. Thanks to the vulnerability, Google's browser will mistakenly
interpret the certificate as valid when in reality it's a fake.
The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the
certificates, Yolan Romailler at Kudelski Security. Unfortunately, the same API has a serious bug
on vetting elliptic curve cryptography.
That has security experts, including officials at the NSA, alarmed. In the wrong hands, the flaw
could help hackers create official-looking websites, when in reality they've been designed to steal
your information. Romailler has created a proof-of-concept anyone can visit to see the flaw in action.
Although the flaw is disturbing, it's important to note that hackers have been successfully duping
victims with lookalike phishing websites for decades now, without exploiting flaws in Windows'
CryptoAPI. The real threat is if an adversary, like a foreign government or elite nation-state hackers,
controls an internet network. The adversary could secretly stage a "man-in-the-middle attack" by
intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.
An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com
were briefly re-directed to a lookalike site on the same domain. Thankfully, users were tipped off because
their browsers failed to return a trusted digital certificate. However, the CryptoAPI bug threatens to undermine
this important safeguard.
The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to
Windows 10 users who have automatic updates turned on. According to Ars Technica, Google is also
working on a fix for the Chrome browser that's already available in the beta versions.
On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code. However,
to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the
browser's cache. This can be done simply by directing the browser to first visit a separate website with the
root certificate before engaging in thespoofing attack.