[Cryptography] Windows security leads to 0-day in Windows security

[Stephan Neuhaus]

On 10/31/20 4:59 AM, Peter Gutmann wrote:
> I'm always amused to see security components used to break security.  This
> time it's Window's CNG, a.k.a. Cryptography API: Next Generation, which has an
> 0-day in it that affects every version of Windows back to Windows 7:
> 
> https://bugs.chromium.org/p/project-zero/issues/detail?id=2104
> 
> It's at the kernel level, and being exploited in the wild.  Very unsporting of
> the attackers to ignore the "security line, do not cross" tape and attack
> there anyway.

It seems strange to me that one of the better C/C++ compilers out there 
(Visual Studio) wouldn't see the potential for an integer overflow here. 
(To be sure, it's UNSIGNED integer overflow, which is at least not 
undefined behaviour. That might in fact be part of the problem here.) 
Also, it seems to me that fuzzing would have found this problem rather 
quickly. It's a very odd bug to have survived apparently since Win7.

Do you have any insights on how this bug remained in the code base for 
so long, and why none of the (reportedly excellent) static analysis 
components of Visual Studio have alerted to it?

Fun

Stephan

PS: Windows has ioctls? I'd always thought they were a Unix specialty.