The vulnerability is actually a bug in SymCrypt, which is responsible forWindowsA core encryption library that implements an asymmetric encryption algorithm and implements a symmetric encryption algorithm in Windows 8. Ormandy found that by using a malformed digital certificate, he can force SymCrypt calculations into an infinite loop. This will work effectively on WindowsserverPerform a denial of service (DoS) attack, for example, a service that runs the IPsec protocol required to use e-mail and calendars with a VPN or Microsoft Exchange Server.
Ormandy also pointed out that "many software that handles untrusted content (such as anti-virus software) will call these routines on untrusted data, which will cause them to get stuck."
However, he still rated it as a low-severity vulnerability, adding that the vulnerability makes it relatively easy to tear down the entire Windows fleet, so it's worth noting.
The bulletin published by Ormandy provides details of the vulnerability and an example of a malformed certificate that could lead to a denial of service.
As mentioned earlier, Project Zero has a 90-day disclosure deadline. Ormandy first reported this vulnerability on March 13, and then on March 26th,MicrosoftConfirm that the security bulletin will be released and fix it in the Patch Tuesday of June 11. Ormandy believes that “this is 91 days, but it is within the extension period, so it is acceptable.”
On June 11th, the Microsoft Security Response Center (MSRC) stated that "the patch will not be released today, and will not be patched until it is released in July due to problems found in the test." Ormandy disclosed the vulnerability.
Public vulnerability address: