Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

Since Microsoft wasn't able to fix the bug in 90 days, Google's Project Zero team has now published the bug report.

By Jagmeet Singh | Updated: 14 June 2019 14:08 IST

Highlights

Project Zero researcher Tavis Ormandy has detailed the exploit on Twitter
The bug has been filed as "low severity"
Microsoft would bring the fix through the July Patch Tuesday release

Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

The Project Zero team said that the bug exists in Windows' SymCrypt core cryptographic library

Google's Project Zero team has revealed a zero-day exploit affecting Windows systems. Microsoft was informed about the bug that is claimed to allow attackers to "take down an entire Windows fleet relatively easily", though the Redmond company hasn't been able to bring its fix in the 90-day window proposed originally. The issue is said to have its presence in Windows' SymCrypt core cryptographic library that is available for symmetric algorithms since Windows 8. The open-source project also debuted as the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.

Project Zero researcher Tavis Ormandy through a series of tweets has detailed the exploit. "It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't," Ormandy tweeted.

Since Microsoft wasn't able to fulfil its commitment on time, the Project Zero team has now published the bug report on the Chromium site. Ormandy has also created an X.509 certificate to trigger the bug that is believed to prompt a denial-of-service (DoS) attack on Windows servers. However, the bug has been marked with "low severity".

Senior Security Engineering Manager at Google Tim Willis in the Chromium post mentioned that Microsoft is still working on the fix. "MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue," said Willis.

It is likely that Microsoft would bring a fix through the next month's July Patch Tuesday release. Meanwhile, server admins should be aware of the vulnerability to avoid any inevitable incidents.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.