HomeWinBuzzer NewsGoogle Project Zero Reveals Flaw in Windows SymCrypt

Google Project Zero Reveals Flaw in Windows SymCrypt

A vulnerability has been discovered in SymCrypt. Microsoft has told Google Project Zero the problem will be fixed in July.

-

We have seen a slew of Windows vulnerabilities disclosed recently, and today another one was revealed. Project Zero researcher Travis Ormandy has revealed a new bug found in the Windows crypto library.

Ormandy says this problem has been evident since Windows 8. More worryingly, he claims the SymCrypt bug is bad enough that it could be exploited to “take down a Windows fleet pretty quickly”.

If you are unfamiliar with SymCrypt, it is a open-source project that it uses as a crypto library. The tool has been around since Windows 8 and it Microsoft's lead crypto library for symmetric algorithm and asymmetric algorithms.

“There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,” explained Ormandy in a write-up for Microsoft's June yesterday.

Fix

typically informs software vendors of vulnerabilities privately. Those vendors then have 90 days to issue a fix for the problem. If the 90 days passes, Project Zero discloses the flaw publicly.

“I've been able to construct an X.509 certificate that triggers the bug,” explained Ormandy.

“I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (eg ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

Microsoft has agreed to patch the SymCrypt within the 90 days limit. However, Tim Willis, a senior engineering manager with Project Zero says Microsoft Security Response Center (MSRC) will not roll out that patch until July.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.
Mastodon