Sign up for our newsletter
Technology / Cybersecurity

Microsoft Bug Would Let Attacker “Take Down An Entire Windows Fleet”

A Google vulnerability researcher says he has identified a bug in SymCrypt, the core cryptography library for Windows, that when exploited in a denial of service (DoS) attack could “take down an entire Windows fleet relatively easily”.

After disclosing the bug to Microsoft on Wednesday, March 13, Tavis Ormandy said he was told that the company would need until today (June 11) to patch the issue, but was later told the patch will not ship until July owing to issues found in testing. 

The bug was subject to a 90 day disclosure deadline. “Today is day 91, so the issue is now public” he tweeted, characterising the issue as low severity, despite the DoS possibilities (and hitting back at criticisms of the post-deadline disclosure).

White papers from our partners

— Tavis Ormandy (@taviso) June 11, 2019

In a bug report filed on Google’s Project Zero site, he wrote: “Here’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.”

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

SymCrypt, Windows’ cryptographic function library, was started in late 2006 with the first sources committed in Feb 2007. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows. Microsoft notes in its GitHub repo that, like any engineering project, “SymCrypt is a compromise between conflicting requirements” including the need to minimise maintenance cost.

The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticising Ormandy for the move; and were met with short shrift.

The ensuing debate boiled down, fundamentally, to how much sympathy those involved had for Microsoft. Some argued that the company needs more time to test patches to core components. Other that it had received helpful free guidance that could help it avoid DOS attacks and that its failure to meet a deadline meant publication of the vuln. was perfectly understandable. Those making the latter point noted that Microsoft has reduced its QA team and botched recent software updates.

The company has been accused of having “dysfunctional software processes”.

Read this: Microsoft Promises Closer Coordination with OEMs, Software Vendors After Botched Update


This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.