Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

Since Microsoft wasn't able to fix the bug in 90 days, Google's Project Zero team has now published the bug report.

Share on Facebook Tweet Share Reddit Comment
Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

The Project Zero team said that the bug exists in Windows' SymCrypt core cryptographic library

Highlights
  • Project Zero researcher Tavis Ormandy has detailed the exploit on Twitter
  • The bug has been filed as "low severity"
  • Microsoft would bring the fix through the July Patch Tuesday release

Google's Project Zero team has revealed a zero-day exploit affecting Windows systems. Microsoft was informed about the bug that is claimed to allow attackers to "take down an entire Windows fleet relatively easily", though the Redmond company hasn't been able to bring its fix in the 90-day window proposed originally. The issue is said to have its presence in Windows' SymCrypt core cryptographic library that is available for symmetric algorithms since Windows 8. The open-source project also debuted as the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.

Project Zero researcher Tavis Ormandy through a series of tweets has detailed the exploit. "It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't," Ormandy tweeted.

Since Microsoft wasn't able to fulfil its commitment on time, the Project Zero team has now published the bug report on the Chromium site. Ormandy has also created an X.509 certificate to trigger the bug that is believed to prompt a denial-of-service (DoS) attack on Windows servers. However, the bug has been marked with "low severity".

Senior Security Engineering Manager at Google Tim Willis in the Chromium post mentioned that Microsoft is still working on the fix. "MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue," said Willis.

It is likely that Microsoft would bring a fix through the next month's July Patch Tuesday release. Meanwhile, server admins should be aware of the vulnerability to avoid any inevitable incidents.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Jagmeet Singh Tech journalist by profession, tech explorer by passion. Budding philomath. More
Hong Kongers Alarmed by Google Translation Gaffe
WeWork Said to Consider $1.9-Billion Offer for 70 Percent Indian Affiliate Stake
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.