Security News > 2020 > January > How a researcher exploited the Windows 10 bug patched by Microsoft

Saleem Rashid shows that a patch for a security bug in Windows 10 and Windows Server 2016/2019 could be exploited in the real world to spoof security certificates on machines without the patch.

This week Microsoft was forced to quickly patch a security bug in Windows 10 and Windows Server 2016/2019 that could have allowed attackers to spoof legitimate security certificates as a way of gaining control of an infected PC. Microsoft was prompted to act after the NSA discovered and privately reported the bug, which was evidence of a serious flaw in the way the latest versions of Windows and Windows Server check the validity of certain security certificates.

Specifically, the vulnerability is the result of a flaw in the Elliptic Curve Cryptography Microsoft used in its code for Windows 10 and Windows Server 2016 and 2019.

In his testing, Rashid was able to take advantage of the vulnerability by cooking up code to create phony security certificates as a way to spoof the secure and verified websites of Github and the National Security Agency.

Security firm Kudelski Security has published the code via GitHub, while a Danish security researcher named Ollypwn did the same.

News URL

http://www.techrepublic.com/article/how-a-researcher-exploited-the-windows-10-bug-patched-by-microsoft/#ftag=RSS56d97e7