Security News > 2020 > January > How a researcher exploited the Windows 10 bug patched by Microsoft
Saleem Rashid shows that a patch for a security bug in Windows 10 and Windows Server 2016/2019 could be exploited in the real world to spoof security certificates on machines without the patch.
This week Microsoft was forced to quickly patch a security bug in Windows 10 and Windows Server 2016/2019 that could have allowed attackers to spoof legitimate security certificates as a way of gaining control of an infected PC. Microsoft was prompted to act after the NSA discovered and privately reported the bug, which was evidence of a serious flaw in the way the latest versions of Windows and Windows Server check the validity of certain security certificates.
Specifically, the vulnerability is the result of a flaw in the Elliptic Curve Cryptography Microsoft used in its code for Windows 10 and Windows Server 2016 and 2019.
In his testing, Rashid was able to take advantage of the vulnerability by cooking up code to create phony security certificates as a way to spoof the secure and verified websites of Github and the National Security Agency.
Security firm Kudelski Security has published the code via GitHub, while a Danish security researcher named Ollypwn did the same.
News URL
Related news
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Researchers Uncover Flaws in Windows Smart App Control and SmartScreen (source)
- Microsoft: Windows 11 22H2 reaches end of support in 60 days (source)
- Microsoft is killing the Windows Paint 3D app after 8 years (source)
- Windows 10 KB5041580 update released with 14 fixes, security updates (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft retires Windows updates causing 0x80070643 errors (source)
- Microsoft removes FAT32 partition size limit in Windows 11 (source)
- Microsoft to rollout Windows Recall to Insiders in October (source)
- Microsoft to roll out Windows Recall to Insiders in October (source)