Google hackers find bugs in Windows, less serious but can cause denial of service


By turalmammadzada

The bug information of Windows cryptographic library 'SymCrypt' has been published on Twitter by hackers. The hacker, Tavis Ormandy , is a Google-owned white hacker who reported bugs to Microsoft in advance. However, because Microsoft did not respond by the date when the response was received from Microsoft, they decided to release the information.

1804: cryptoapi: SymCrypt modular inverse algorithm
https://bugs.chromium.org/p/project-zero/issues/detail?id=1804

SymCrypt Bug Would Let Attacker 'Take Down Entire Windows Fleet'
https://www.cbronline.com/news/symcrypt-bug

Flaw in SymCrypt Can Trigger DDoS-Infosecurity Magazine
https://www.infosecurity-magazine.com/news/flaw-in-symcrypt-can-trigger-ddos-1-1/

The bug pointed out by Omandi is that it forces an infinite loop in a protocol that uses the cryptographic library SymCrypt, which controls all encryption on Windows. Since S / MIME , authenticode , IPsec , IIS, etc. use SymCrypt encryption, it is possible to deadlock the service by using the discovered vulnerability when trying to execute VPN or Microsoft Exchange Server. It is possible to get into a denial of service (DoS) state.

Omandi reported this 'relatively low severity' bug to Microsoft. In response to the report, Microsoft promised to fix within 90 days, but since the fix was not made by the due date, Ormandy has published information on the bug on Twitter.




A Microsoft spokeswoman told Infosecurity Magazine that 'Microsoft is responsible for addressing reported bugs as soon as possible. Of course we are trying our best to meet deadlines, but we are forced to Developing a security update is a delicate task that balances speed and accuracy, as much as possible while protecting the security of as many PCs as possible while minimizing the impact of bugs. We are responding by e-mail. According to Ormandy, the bug is 'less serious.'

in Software,   Security, Posted by log1k_iy