Submitted via IRC for SoyCow1944
Bad Cert Vulnerability Can Bring Down Any Windows Server
A Google security expert today revealed that an unpatched issue in the main cryptographic library of Microsoft's operating system can cause a denial-of-service (DoS) condition in Windows 8 servers and above.
The problem is in SymCrypt, the primary library for implementing symmetric cryptographic algorithms in Windows 8 and also for asymmetric ones starting with Windows 10 version 1703.
Tavis Ormandy, a vulnerability researcher at Google, noticed that SymCrypt could easily be used to cause a never-ending operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric."
He was able to test the bug with the help of a specially crafted X.509 digital certificate that prevents completing the verification process. Any program on the system that processes the certificate triggers the vulnerability.
Affected systems can receive a malformed certificate in multiple ways since it is used in secure internet protocols (e.g. TLS) or for validating identity in digital signatures.
Thus, it can be delivered in digitally signed and encrypted messages via the S/MIME protocol or through a Secure Channel (schannel) connection that provides authentication between clients and servers.
The researcher considers the bug has low severity but can help an attacker take down a "Windows fleet" in a short period.
(Score: 2) by aristarchus on Thursday June 13 2019, @06:16PM (8 children)
"Windows"? "Server"? Who could be so foolish?
(Score: -1, Flamebait) by Anonymous Coward on Thursday June 13 2019, @06:42PM (2 children)
Just sayin'.
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @07:02PM (1 child)
Two comments [wikipedia.org].
Good show!
*For those of you who are members of the Ten Thousand [xkcd.com], this is a reference to Godwin's Law [wikipedia.org].
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @08:12PM
well i guess someone got famous thanks to hitler ...
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @06:56PM (1 child)
https://www.howtogeek.com/424886/windows-10s-linux-kernel-is-now-available/ [howtogeek.com]
(Score: 3, Insightful) by Gaaark on Friday June 14 2019, @12:49AM
Why the fuck not just be intelligent and run Windows in a linux VM?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by DannyB on Thursday June 13 2019, @08:10PM (2 children)
Look, Windows Server Data Center Edition is grate! You buy very nice server hardware in the mid thousands. Then for more than the cost of the hardware you can get that OS.
But why?
Because it will allow you to install Hyper-V, and then install that same OS under Hyper-V as many times as you want -- and activate them! That way you can spin up more instances of Windows Server Data Center Edition without having to get permission from anyone, or having to put in CIT ticket and jump through hoops to get them to activate your new VM within the time limited period before it expires.
What other OS would possibly let you activate your own instances under a VM!
None, I tell you !!!
So it's not so foolish1, and I hope that answers your question.
I did not bother including <no-sarcasm> tags. But what I described is factual, even if it churns my stomach.
1for certain values of foolish
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 0) by Anonymous Coward on Friday June 14 2019, @04:12AM (1 child)
"grate"?? Is that for the cheese? Or sewer covering?
(Score: 2) by DannyB on Friday June 14 2019, @01:51PM
Since I'm talking about Windows OS, I'll let you decide.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 1, Touché) by Anonymous Coward on Thursday June 13 2019, @06:58PM (2 children)
I have never heard of Windows 8 server. Time to freshen up my Windows history knowledge.
(Score: 2) by DannyB on Thursday June 13 2019, @08:14PM
There are:
Windows 2003 Server
Windows 2008 Server (and some revisions, r1, r2, etc)
Windows 2012 Server
Windows 2016 Server
And probably a few others I haven't had the displeasure of meeting. They come in various editions: Standard, . . . , Data Center Edition, and some few editions in between.
It is the lesson from the book "Big Blue: IBM's use and abuse of power". Segment your market. Tartar Control. Extra Whiting. With Baking Soda. With Peroxide. Tartar Control with Extra Whitening. Home Basic. Professional. Enterprise Edition. Server. Data Center Edition. Etc.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 4, Informative) by nobu_the_bard on Thursday June 13 2019, @08:21PM
For most purposes, these are functionally similar like so (desktop GUI, libraries, various frameworks)...
Windows 2003 R2 = Windows XP server
Windows 2008 = Windows Vista server
Windows 2008 R2 = Windows 7 server
Windows 2012 = Windows 8 server
Windows 2012 R2 = Windows 8.1 server
Windows 2016 = Windows 10 v1709 server
Windows 2016 = Windows 10 v1809 server