Security News > 2020 > January > Windows 10: Security researcher 'rickrolls' himself to exploit bug patched by Microsoft
Saleem Rashid shows that a patch for a security bug in Windows 10 and Windows Server 2016/2019 could be exploited in the real world to spoof security certificates on machines without the patch.
This week Microsoft was forced to quickly patch a security bug in Windows 10 and Windows Server 2016/2019 that could have allowed attackers to spoof legitimate security certificates as a way of gaining control of an infected PC. Microsoft was prompted to act after the NSA discovered and privately reported the bug, which was evidence of a serious flaw in the way the latest versions of Windows and Windows Server check the validity of certain security certificates.
Specifically, the vulnerability is the result of a flaw in the Elliptic Curve Cryptography Microsoft used in its code for Windows 10 and Windows Server 2016 and 2019.
In his testing, Rashid was able to take advantage of the vulnerability by cooking up code to create phony security certificates as a way to spoof the secure and verified websites of Github and the National Security Agency.
Security firm Kudelski Security has published the code via GitHub, while a Danish security researcher named Ollypwn did the same.
News URL
Related news
- Windows 10 KB5041580 update released with 14 fixes, security updates (source)
- Windows 10 KB5043064 update released with 6 fixes, security updates (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Researchers Uncover Flaws in Windows Smart App Control and SmartScreen (source)
- Bad apps bypass Windows security alerts for six years using newly unveiled trick (source)
- New Linux Kernel Exploit Technique 'SLUBStick' Discovered by Researchers (source)
- Microsoft: Windows 11 22H2 reaches end of support in 60 days (source)
- Microsoft is killing the Windows Paint 3D app after 8 years (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft patches scary wormable hijack-my-box-via-IPv6 security bug and others (source)