Security specialists in web pages members of the so-called “Project Zero” of Google, in charge of detecting zero-day vulnerabilities, have revealed a new flaw in Windows that was still in the process of being corrected by Microsoft.
Tavis Ormandy, one of the members of Project Zero, revealed the discovery of a security flaw in the central Windows cryptographic library: “We notified the company and committed to launch a solution in 90 days, but this has not happened. Upon completion of the period mentioned by Microsoft, the specialists revealed the failure to the public.
The vulnerability exists in SymCrypt, the central cryptographic library responsible for implementing cryptographic algorithms in Windows 10 and 8. Security experts in web pages discovered that by using an erroneous digital certificate, it is possible to force SymCrypt calculations into an infinite loop. The above conditions will cause a denial of service (DoS) attack on Windows servers.
Web security experts add that multiple tools that process unreliable content, such as antivirus software, call these routines in untrusted data, which will cause them to crash. However, Ormandy considers that this is a failure of low severity, although it must be taken seriously.
The specialists published a security alert, in addition to a proof of concept, demonstrating that it is possible to generate the DoS attack using a badly formatted certificate.
Project Zero grants 90-day terms to companies to solve their findings. The vulnerability was revealed to Microsoft in mid-March and, according to experts, the company committed to launch a security bulletin and resolve the failure before Tuesday, June 11. The expert stated that the Response Center Security Incident Microsoft sent a message claiming that because of the problems generated during the process of correcting the fault, the correction would be ready until July, so the expert decided reveal the vulnerability
According to the International Cybersecurity Institute (IICS) some members of the cybersecurity community show their support for Ormandy’s decision to reveal the vulnerability; On the other hand, others consider that, since the company is working to deliver a fully functional security patch, the Project Zero team could have granted the company a little more time to update its services.