A major Windows 10 security flaw has left US intelligence agency, the NSA, and software development, GitHub, rickroll’d by a cybersecurity researcher. It’s a good laugh but it also highlights how serious the security alert is and works as a reminder to any Australians who haven’t already installed the security patch.
[referenced url=”https://gizmodo.com.au/2020/01/stop-what-youre-doing-and-update-windows-right-now/” thumb=”https://i.kinja-img.com/gawker-media/image/upload/t_ku-large/oirylu2piv4zygnlamro.jpg” title=”Stop What You’re Doing And Update Windows Right Now” excerpt=”The U.S. National Security Agency disclosed a major vulnerability in the latest version of Windows 10 and Windows Server 2016 to Microsoft, which released a fix for the issue on Tuesday, the MIT Technology Review reported.”]
U.K. cybersecurity researcher, Saleem Rashid, posted a screenshot to Twitter claiming he’d successfully rickroll’d Microsoft’s GitHub as well as the NSA on the Edge browser using a Windows 10 security revealed on January 15, 2020.
thanks to @CiPHPerCoder‘s hint 🙂
the biggest constraints are Chrome’s tight certificate policies and that the root CA must be cached, which you can trigger by visiting a legitimate site that uses the certificate pic.twitter.com/GgftwVvpY8
— Saleem Rashid (@saleemrash1d) January 15, 2020
CVE-2020-0601 pic.twitter.com/8tJsJqvnHj
— Saleem Rashid (@saleemrash1d) January 15, 2020
The major vulnerability itself was reported by the NSA after it had alerted Microsoft of the existence of CVE-2020-0601, claiming it could trick programs into accepting falsified trust certificates allowing for them to download malware, ransomware or in Rashid’s case, rickrolling. The example shows it can supposedly spoof users into thinking they’re on verified sites.
This #PatchTuesday you are strongly encouraged to implement the recently released CVE-2020-0601 patch immediately. https://t.co/czVrSdMwCR pic.twitter.com/log6OU93cV
— NSA/CSS (@NSAGov) January 14, 2020
The vulnerability, according to the NSA, affects all Windows 10 and Windows Server 2016/2019 users as well as any applications that rely on Windows for trust functionality.
Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also issued an advisory on January 15 urging businesses, and Australians more generally, to patch their systems immediately.
“[The vulnerability] could allow an adversary to spoof a code-signing or TLS certificate and have it appear as valid, in addition this vulnerability may allow remote code execution,” the ACSC said on its page.
“The ACSC recommends that users of these products apply patches urgently to prevent malicious actors from using these vulnerabilities to compromise your network.”
Make sure you’ve got the latest patch by heading to Microsoft 10’s advisory page and downloading the relevant security patch for your OS. Getting rickroll’d would be the least of your problems if you don’t.
[referenced url=”https://gizmodo.com.au/2020/01/the-australian-government-spent-8-7-million-to-run-windows-7-for-another-year/” thumb=”https://gizmodo.com.au/wp-content/uploads/2020/01/windows7dumb-410×231.jpg” title=”The Australian Government Spent $8.7 Million To Run Windows 7 For Another Year” excerpt=”Windows 7 may be dead for the rest of the world but for two Australian government departments, it’s alive and well for at least another year.”]