Home > Cyber News > Microsoft Fails to Patch Zero-Day Bug in Windows SymCrypt
CYBER NEWS

Microsoft Fails to Patch Zero-Day Bug in Windows SymCrypt


Tavis Ormandy, security researcher at Google’s Project Zero, has “noticed a bug in SymCrypt, the core library that handles all crypto on Windows.” The bug is a zero-day of the DoS (denial-of-service) type.




The bug means that “basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything)”, the researcher revealed in a series of tweets. Apparently, Microsoft committed to fixing it in 90 days, but it still hasn’t.

Initially, the company said that they would like to issue a bulletin for the issue, but need until June 11th. On that day, however, Microsoft noted that “the patch won’t ship today”. A patch wouldn’t be ready until the July release due to issues found in testing.

More about the SymCrypt bug

The issue is located in Windows’ SymCrypt core cryptographic library that has been available for symmetric algorithms since Windows 8. SymCrypt is also considered the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.

A bug report about the issue is now available on Chromium, after the 90-day deadline has passed. This is what the bug report says:

There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.

In addition, Ormandy has been able to construct an X.509 certificate that triggers the bug. The researcher also discovered that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, will “effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted”.

Related: [wplinkpreview url=”https://sensorstechforum.com/google-projectzero-puzzled-microsoft-cve-2017-0037-not-patched/”]Google’s ProjectZero Puzzled by Microsoft, CVE-2017-0037 Still Not Patched

Since lots of software that handles untrusted content (such as antivirus programs) call these routines on untrusted data, this would cause them to deadlock.

Even though the bug is low in severity, it shouldn’t be overlooked. A patch is expected to be delivered via July 2018’s Patch Tuesday.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree