Website security audit experts member of Google’s “Project Zero”, which is responsible for detecting zero-day vulnerabilities, have revealed a new Windows flaw that was still in the process of being corrected by Microsoft.
Tavis Ormandy, one of the members of Project Zero, revealed the discovery of a security flaw in the Windows Central Cryptographic library: “We notified the company and they pledged to launch a solution in 90 days, but this has not happened. At the time of the deadline mentioned by Microsoft, the specialists publicly disclosed the vulnerability.
The vulnerability exists in SymCrypt, the central cryptographic library responsible for implementing cryptographic algorithms in Windows 10 and 8. Website security audit experts found that by using an erroneous digital certificate, SymCrypt calculations can be forced into an infinite loop. The above conditions will cause a denial of service (DoS) attack on Windows servers.
Website security audit experts add that multiple tools that process unreliable content, such as anti-virus software, call these routines on untrusted data, causing them to crash. However, Ormandy believes that this is a low-severity flaw, although it must be taken seriously.
The specialists published a security alert, in addition to a proof of concept, proving that it is possible to generate the DoS attack using a certificate in incorrect format.
Project Zero gives companies a deadline of 90 days to solve their findings. The vulnerability was disclosed to Microsoft in mid-March and, according to experts, the company pledged to launch a security bulletin and solve the flaw by Tuesday, June 11. The expert stated that the Microsoft Security Incidents Response Center sent him a message stating that due to the problems generated during the error correction process, the correction would be ready until July, so the expert decided to publicly disclose the vulnerability.
According to the International Institute of Cyber Security (IICS) some members of the cybersecurity community show their support for Ormandy’s decision to disclose vulnerability; on the other hand, others consider that since the company is working to deliver a fully functional security patch, the Project Zero team could have given the company some more time to upgrade their services.