Google’s security team has again announced an 0-day vulnerability in Windows 10 that could lead to a denial of service problem on the server. Originally, this vulnerability was discovered and notified to Microsoft three months ago. Microsoft confirmed the problem and asked Google to extend the details of the vulnerability one day later.
Google researcher said that “Microsoft committed to fixing it in 90 days, then didn’t. Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it’s worth being aware of.”
Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of. https://t.co/KKa7cOMyfw
— Tavis Ormandy (@taviso) June 11, 2019
According to Google’s security experts, vulnerability is mainly caused by certificate verification errors. Windows 8 and above use a certain encryption library. An attacker could make a specific X.509 digital certificate to exploit this vulnerability, which could trigger an encryption library vulnerability because the certificate could not be successfully verified.
After the vulnerability is triggered, it mainly affects the normal operation of other programs in the system, resulting in a denial of service. Commonly affected programs such as IIS, IPSec, and Exchange. Relatively speaking, this vulnerability impact is relatively low, which will cause the server to fail to provide services without data leakage or other security risks.
Microsoft did not fix the vulnerability as scheduled, so now all the details of this vulnerability have been made public on Google. At present, Microsoft has not issued a statement on this matter to explain why it cannot be repaired normally.