View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 11, 2019updated 12 Jun 2019 4:24pm

Microsoft Bug Would Let Attacker “Take Down An Entire Windows Fleet”

90 days later, awaiting a patch...

By CBR Staff Writer

A Google vulnerability researcher says he has identified a bug in SymCrypt, the core cryptography library for Windows, that when exploited in a denial of service (DoS) attack could “take down an entire Windows fleet relatively easily”.

After disclosing the bug to Microsoft on Wednesday, March 13, Tavis Ormandy said he was told that the company would need until today (June 11) to patch the issue, but was later told the patch will not ship until July owing to issues found in testing. 

The bug was subject to a 90 day disclosure deadline. “Today is day 91, so the issue is now public” he tweeted, characterising the issue as low severity, despite the DoS possibilities (and hitting back at criticisms of the post-deadline disclosure).

In a bug report filed on Google’s Project Zero site, he wrote: “Here’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

SymCrypt, Windows’ cryptographic function library, was started in late 2006 with the first sources committed in Feb 2007. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows. Microsoft notes in its GitHub repo that, like any engineering project, “SymCrypt is a compromise between conflicting requirements” including the need to minimise maintenance cost.

The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticising Ormandy for the move; and were met with short shrift.

The ensuing debate boiled down, fundamentally, to how much sympathy those involved had for Microsoft. Some argued that the company needs more time to test patches to core components. Other that it had received helpful free guidance that could help it avoid DOS attacks and that its failure to meet a deadline meant publication of the vuln. was perfectly understandable. Those making the latter point noted that Microsoft has reduced its QA team and botched recent software updates.

The company has been accused of having “dysfunctional software processes”.

Read this: Microsoft Promises Closer Coordination with OEMs, Software Vendors After Botched Update

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.