Google Project Zero researcher Tavis Ormandy has published details about a bug in a core Windows crypto library that's been present since Windows 8 and could be used to "take down a Windows fleet pretty quickly".
SymCrypt is one of Microsoft's open-source projects that has become its primary crypto library for symmetric algorithms since Windows 8. As of Windows 10 1703, it also became the primary crypto library for asymmetric algorithms, too.
SEE: 10 tips for new cybersecurity pros (free PDF)
Ormandy, who often finds bugs in antivirus software, crafted an X.509 certificate that triggers the bug and creates a denial-of-service condition on any Windows server, which could require a reboot for it be up and running again.
"There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," explained Ormandy in a write-up published on Microsoft's June 2019 Patch Tuesday.
Microsoft had "committed to fixing it in 90 days", according to Ormandy, in line with Google's three-month deadline for fixing or publicly disclosing bugs that its researchers find.
But, according to Tim Willis, a senior security engineering manager at Google, the Microsoft Security Response Center (MSRC) informed Google on Tuesday that it could not ship the patch until the July Patch Tuesday release "due to issues found in testing".
Once again this bug appears to have its roots in the way Windows interacts with antivirus software.
"I've been able to construct an X.509 certificate that triggers the bug," explained Ormandy.
"I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (eg ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock."
Ormandy notes that the bug is a low-severity issue. However, admins should be aware of it due to potential for an attacker to down an entire fleet of Windows machines without much difficulty.
More on Microsoft and Windows security
- No more passwords? Windows 10 1903 is close to that goal, claims Microsoft
- Windows 10 security: Microsoft issues Intel microcode updates against MDS attacks
- How to test MDS (Zombieload) patch status on Windows systems
- Fending off Zombieload attacks will crush your performance
- Windows 10 security: Are ads in Microsoft's own apps pushing fake malware alerts?
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic