New zero-day cryptographic vulnerability found in Windows 10

Website security audit experts member of Google’s “Project Zero”, which is responsible for detecting zero-day vulnerabilities, have revealed a new Windows flaw that was still in the process of being corrected by Microsoft.

Tavis Ormandy, one of the members of Project
Zero, revealed the discovery of a security flaw in the Windows Central
Cryptographic library: “We notified the company and they pledged to launch
a solution in 90 days, but this has not happened. At the time of the deadline
mentioned by Microsoft, the specialists publicly disclosed the vulnerability.

The vulnerability exists in
SymCrypt, the central cryptographic library responsible for implementing
cryptographic algorithms in Windows 10 and 8. Website security audit experts found
that by using an erroneous digital certificate, SymCrypt calculations can be
forced into an infinite loop. The above conditions will cause a denial
of service
(DoS) attack on Windows servers.

Website security audit experts add that
multiple tools that process unreliable content, such as anti-virus software,
call these routines on untrusted data, causing them to crash. However, Ormandy
believes that this is a low-severity flaw, although it must be taken seriously.

The specialists published a security alert, in
addition to a proof of concept, proving that it is possible to generate the DoS
attack using a certificate in incorrect format.

Project Zero gives companies a deadline of 90
days to solve their findings. The vulnerability was disclosed to Microsoft in
mid-March and, according to experts, the company pledged to launch a security bulletin
and solve the flaw by Tuesday, June 11. The expert stated that the Microsoft
Security Incidents Response Center sent him a message stating that due to the
problems generated during the error correction process, the correction would be
ready until July, so the expert decided to publicly disclose the vulnerability.

According to the International Institute of
Cyber Security (IICS) some members of the cybersecurity community show their
support for Ormandy’s decision to disclose vulnerability; on the other hand,
others consider that since the company is working to deliver a fully functional
security patch, the Project Zero team could have given the company some more
time to upgrade their services.

To Top

Pin It on Pinterest

Share This