Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

Since Microsoft wasn't able to fix the bug in 90 days, Google's Project Zero team has now published the bug report.

Advertisement
By Jagmeet Singh | Updated: 14 June 2019 14:08 IST
Highlights
  • Project Zero researcher Tavis Ormandy has detailed the exploit on Twitter
  • The bug has been filed as "low severity"
  • Microsoft would bring the fix through the July Patch Tuesday release
Google's Project Zero Reveals Zero-Day Exploit on Windows That Microsoft Hasn't Fixed Yet

The Project Zero team said that the bug exists in Windows' SymCrypt core cryptographic library

Google's Project Zero team has revealed a zero-day exploit affecting Windows systems. Microsoft was informed about the bug that is claimed to allow attackers to "take down an entire Windows fleet relatively easily", though the Redmond company hasn't been able to bring its fix in the 90-day window proposed originally. The issue is said to have its presence in Windows' SymCrypt core cryptographic library that is available for symmetric algorithms since Windows 8. The open-source project also debuted as the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.

Project Zero researcher Tavis Ormandy through a series of tweets has detailed the exploit. "It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't," Ormandy tweeted.

Since Microsoft wasn't able to fulfil its commitment on time, the Project Zero team has now published the bug report on the Chromium site. Ormandy has also created an X.509 certificate to trigger the bug that is believed to prompt a denial-of-service (DoS) attack on Windows servers. However, the bug has been marked with "low severity".

Senior Security Engineering Manager at Google Tim Willis in the Chromium post mentioned that Microsoft is still working on the fix. "MSRC [Microsoft Security Response Center] reached out to me and noted that the patch won't ship today and wouldn't be ready until the July release due to issues found in testing. As today is 91 days, derestricting the issue," said Willis.

Advertisement

It is likely that Microsoft would bring a fix through the next month's July Patch Tuesday release. Meanwhile, server admins should be aware of the vulnerability to avoid any inevitable incidents.

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Realme GT 7: Launch Date, Expected Price in India, Features, and More
  1. NASA Satellite Detects Tree Leaf Changes as Early Volcano Eruption Warning Signal
  2. Russian Researchers Discover 11 New Active Galactic Nuclei In Spektr-RG X-ray Survey
  3. New Study Reveals Recent Ice Gains in Antarctica, But Long-Term Melting Continues
  4. Astronomers Discover Teleios, A Supernova Remnant with Perfect Symmetry
  5. NASA’s SWOT Satellite Reveals Big Impact of Small Ocean Currents and Waves in n Marine Ecosystems
  6. Ironheart OTT Release Date: When and Where to Watch Marvel’s Upcoming Mini Series?
  7. NASA’s Europa Clipper Captures Stunning Infrared Image of Mars
  8. Captain America: Brave New World OTT Release Date: When and Where to Watch Marvel Movie Online?
  9. Iyer in Arabia Now Streaming on SunNXT: What You Need to Know About Shine Tom Chacko, Arfaz Iqbal Starrer Malayalam Comedy Film
  10. Manamey Tamil Version Now Streaming on Aha: Everything You Need to Know
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.