The Project Zero team said that the bug exists in Windows’ SymCrypt core cryptographic library
Google’s Project Zero team has revealed a zero-day exploit affecting Windows systems. Microsoft was informed about the bug that is claimed to allow attackers to “take down an entire Windows fleet relatively easily”, though the Redmond company hasn’t been able to bring its fix in the 90-day window proposed originally. The issue is said to have its presence in Windows’ SymCrypt core cryptographic library that is available for symmetric algorithms since Windows 8. The open-source project also debuted as the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.
Project Zero researcher Tavis Ormandy through a series of tweets has detailed the exploit. “It’s a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn’t,” Ormandy tweeted.
Since Microsoft wasn’t able to fulfil its commitment on time, the Project Zero team has now published the bug report on the Chromium site. Ormandy has also created an X.509 certificate to trigger the bug that is believed to prompt a denial-of-service (DoS) attack on Windows servers. However, the bug has been marked with “low severity”.
Senior Security Engineering Manager at Google Tim Willis in the Chromium post mentioned that Microsoft is still working on the fix. “MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue,” said Willis.
It is likely that Microsoft would bring a fix through the next month’s July Patch Tuesday release. Meanwhile, server admins should be aware of the vulnerability to avoid any inevitable incidents.