CATEGORIES
home News

Google Rings Alarm On Windows 10 Zero-Day Exploit After Microsoft Misses Patch Deadline

by Paul LillyThursday, June 13, 2019, 12:45 PM EDT
Windows 10 Bug
When it comes to disclosing vulnerabilities, the Project Zero team at Google generally sticks to a hard-and-fast deadline, giving companies 90 days to issue a patch before going public with its findings. There are some rare exceptions, but for the most part, Project Zero sticks to that time frame. As such, Project Zero is making some noise about a Windows bug that could allow an attacker to "take down an entire Windows fleet relatively easily."

The issue lies in the SymCrypt core cryptographic library of Windows. A bug exists in SymCrypt's multi-precision arithmetic routines for implementing symmetric cryptographic algorithms in Windows 8, and asymmetric ones in Windows 10.

By leveraging the bug, an attacker could can "cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric." Security researcher Tavis Ormandy created an X.509 certificate to trigger the bug, which he says can prompt a denial-of-service (DoS) attack on any Windows server.
Ormandy has actually filed the bug as "low severity," even though it can be used to cause mass damage. As for a patch, Microsoft had three months to stomp out this bug, and was actually granted a brief extension to issue a bulletin on June 11, which would mark 91 days since being privately notifed. However, it was not able to meet the extended deadline.

"MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue," wrote Tim Willis, a senior security engineering manager at Google.

Assuming the followup tests go well, this issue should be mitigated with next month's Patch Tuesday roll out, on July 9.
Tags:  Microsoft, Google, security, Windows 10, Project Zero, (nasdaq:msft), (nasdaq:goog), symcrypt
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment