Google hackers find bugs in Windows, less serious but can cause denial of service
The bug information of Windows cryptographic library 'SymCrypt' has been published on Twitter by hackers. The hacker, Tavis Ormandy , is a Google-owned white hacker who reported bugs to Microsoft in advance. However, because Microsoft did not respond by the date when the response was received from Microsoft, they decided to release the information.
1804: cryptoapi: SymCrypt modular inverse algorithm
SymCrypt Bug Would Let Attacker 'Take Down Entire Windows Fleet'
Flaw in SymCrypt Can Trigger DDoS-Infosecurity Magazine
The bug pointed out by Omandi is that it forces an infinite loop in a protocol that uses the cryptographic library SymCrypt, which controls all encryption on Windows. Since S / MIME , authenticode , IPsec , IIS, etc. use SymCrypt encryption, it is possible to deadlock the service by using the discovered vulnerability when trying to execute VPN or Microsoft Exchange Server. It is possible to get into a denial of service (DoS) state.
Omandi reported this 'relatively low severity' bug to Microsoft. In response to the report, Microsoft promised to fix within 90 days, but since the fix was not made by the due date, Ormandy has published information on the bug on Twitter.
It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s / mime, authenticate, ipsec, iis, everything). to fixing it in 90 days, then didn't.— Tavis Ormandy (@taviso) June 11, 2019
A Microsoft spokeswoman told Infosecurity Magazine that 'Microsoft is responsible for addressing reported bugs as soon as possible. Of course we are trying our best to meet deadlines, but we are forced to Developing a security update is a delicate task that balances speed and accuracy, as much as possible while protecting the security of as many PCs as possible while minimizing the impact of bugs. We are responding by e-mail. According to Ormandy, the bug is 'less serious.'