When it comes to disclosing vulnerabilities, the Project Zero
team at Google
generally sticks to a hard-and-fast deadline, giving companies 90 days to issue a patch before going public with its findings. There are some rare exceptions, but for the most part, Project Zero sticks to that time frame. As such, Project Zero is making some noise about a Windows bug that could allow an attacker to "take down an entire Windows fleet relatively easily."
The issue lies in the SymCrypt core cryptographic library of Windows. A bug exists in SymCrypt's multi-precision arithmetic routines for implementing symmetric cryptographic algorithms in Windows 8
, and asymmetric ones in Windows 10
By leveraging the bug, an attacker could can "cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric." Security researcher Tavis Ormandy created an X.509 certificate to trigger the bug, which he says can prompt a denial-of-service (DoS) attack on any Windows server.
Ormandy has actually filed the bug as "low severity," even though it can be used to cause mass damage. As for a patch, Microsoft had three months to stomp out this bug, and was actually granted a brief extension to issue a bulletin on June 11, which would mark 91 days since being privately notifed. However, it was not able to meet the extended deadline.
"MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue," wrote Tim Willis, a senior security engineering manager at Google.
Assuming the followup tests go well, this issue should be mitigated with next month's Patch Tuesday roll out, on July 9.