Google warns: This unpatched bug could 'quickly take down a Windows fleet'

Microsoft tried to patch the bug but fails to meet Google's 90-day deadline because of an issue it found in testing.
Written by Liam Tung, Contributing Writer

Google Project Zero researcher Tavis Ormandy has published details about a bug in a core Windows crypto library that's been present since Windows 8 and could be used to "take down a Windows fleet pretty quickly". 

SymCrypt is one of Microsoft's open-source projects that has become its primary crypto library for symmetric algorithms since Windows 8. As of Windows 10 1703, it also became the primary crypto library for asymmetric algorithms, too. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Ormandy, who often finds bugs in antivirus software, crafted an X.509 certificate that triggers the bug and creates a denial-of-service condition on any Windows server, which could require a reboot for it be up and running again. 

"There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," explained Ormandy in a write-up published on Microsoft's June 2019 Patch Tuesday

Microsoft had "committed to fixing it in 90 days", according to Ormandy, in line with Google's three-month deadline for fixing or publicly disclosing bugs that its researchers find. 

But, according to Tim Willis, a senior security engineering manager at Google, the Microsoft Security Response Center (MSRC) informed Google on Tuesday that it could not ship the patch until the July Patch Tuesday release "due to issues found in testing". 

Once again this bug appears to have its roots in the way Windows interacts with antivirus software. 

"I've been able to construct an X.509 certificate that triggers the bug," explained Ormandy. 

"I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (eg ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock."

Ormandy notes that the bug is a low-severity issue. However, admins should be aware of it due to potential for an attacker to down an entire fleet of Windows machines without much difficulty.

More on Microsoft and Windows security

Editorial standards