A vulnerability found in Windows 10 has caused such a stir that the government became involved. High ranking members of the National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) are urging Windows 10 users to install a critical update. A discovered flaw leaves all Windows 10 users seriously vulnerable to potentially devastating attacks.
What’s The Emergency?
The NSA is always looking for security threats, but these circumstances are exceptional. Although they never have before, the NSA reported the discovery to Microsoft due to the potential for extreme exploitation. The Windows CryptoAPI vulnerability works in conjunction with other parts of the operating system to make it possible for a remote hacker to inject, modify, or even decrypt data on a user’s connection.
The vulnerability, recognized as CVE-2020-0601, utilizes something called Elliptic Curve Cryptography certificate validation to make nearly any form of software to appear trustworthy. Malware can be remotely installed on a user’s machine, and Windows 10 would never recognize it as anything potentially unwanted. It would appear to the operating system to be the same as any trusted, signed, or necessary piece of software that translates at a threat level of zero. Users would never have any idea that their machines were actively running malware, which might even easily be disguised as a necessary system process.
This vulnerability leaves unlimited potential for spoofing, not only in terms of encouraging people to install malware or installing it behind their backs, but in the way it impacts the internet. HTTPS connections are secure – most people know by now that information shouldn’t be exchanged over a non HTTPS connection, and most browsers have built in safety tools that prevent such an exchange or warn users of the risks associated with doing so.
The exploit can be used to fake HTTPS connections or mislead users into believing that a duplicated version of a trusted website is the real thing. This means that the vulnerability not only compromises a user’s system, but the entire internet. Where there can be no reliable method of trust and validation, there can be no surefire method of cybersecurity.
The NSA is “Never Gonna Give You Up”
It’s common practice for ethical hackers and researchers to expose or demonstrate known vulnerabilities in a lighthearted or funny way. In this case, cybersecurity researcher Saleem Rashid found it pertinent to utilize our favorite dead meme, the rickroll, to showcase how the exploit works. Since this exploit can allow malicious entities to impersonate legitimate entities, Rashid changed fake but credible seeming homepages for Github and the NSA to play “Never Gonna Give You Up.”
Rashid used the exploit as a proof of concept to demonstrate the severity behind it. If he had hijacked an important website and allowed visitors to submit usernames, passwords, and other authenticating information they may use to log in, someone might easily be able to effortlessly bilk sensitive data from someone entirely unsuspecting. Rashid claims that it can be duplicated with as little as ten lines of code, giving entry level attackers an unbelievable amount of potentially devastating power.
Apply The Patch
We all have a tendency to wait on updates because they feel inconvenient and time consuming. We want to turn on our machines to shop, browse YouTube, or watch Netflix. This is a patch that users cannot afford to pass up or put off. Now that the vulnerabilities have been made public and the patch has been released, any hacker with half a brain can easily reverse engineer attacks to exploit the vulnerability on every procrastinator’s machine. We’ve entered the eleventh hour – are you patched?