I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
-
-
I understand de-restricting issues after a certain time when the vendor have been unwilling to fix/acknowledge the bug, but it looks like you are in dialogue with the vendor who are working on a fix, so why not wait until the patch is out?
-
The deadline was exceeded.
- 22 more replies
New conversation -
-
-
Yep, they open sourced it, that was after I had already started reporting bugs.
End of conversation
New conversation -
-
How was the low severity rating decided on if this can be used as a remote DoS?
-
I used my personal best judgement ¯\_(ツ)_/¯
- 1 more reply
New conversation -
-
-
Today I'm glad its been years since I had to sysadmin Windows. While I don't have a dog in this disclosure fight, I feel for the poor defenders who rarely get to make patch decisions at this rarefied level. They'll just get blamed for the inevitable intrusions.
-
Not sure the intrusions are inevitable with a low severity DoS bug. I think it's more likely the various 0day that were dropped recently and still unpatched might be used, but you're the sysadmin
End of conversation
New conversation -
-
-
No chance that this can lead to a screwup in the modinvert calculation rather than merely a DoS?
-
Hmm, I really don't know. I was working on this before the source was released, now that it's available I should think about it some more.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.