Data Security, Encryption, Network Security, Vulnerability Management

Unpatched bug in Windows SymCrypt library could cause DoS condition, warns researcher

Google's Project Zero vulnerability hunting team has publicly disclosed an unpatched bug in the SymCrypt cryptography library for Windows, which could create a denial of service condition when the user initiates any function that requires cryptography.

Project Zero researcher Tavis Ormandy said in a June 11 tweet that even though the problem is of "relatively low severity," it is worth taking note of because it "could take down an entire windows fleet relatively easily."

"There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," explains an online vulnerability analysis written by Ormandy and published by Project Zero.

Ormandy said the Project Zero team revealed the vulnerability after Microsoft Corp. failed to patch the issue by Google's disclosure deadline, which is set at 90 days after a bug is discovered. Microsoft intends to distribute a fix in July, said Tim Willis, senior security engineering manager at Google, in a comment he added to the vulnerability analysis.

According to a Microsoft spokesperson, the company attempted to meet Google's deadline, but ran into some unexpected complications.

"Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule," the spokesperson said in a statement. "We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption."

In the vulnerability analysis, Ormandy says he was able to craft an X.509 digital certificate that triggers the bug. "I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any Windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted," he wrote. "Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.