Microsoft Fails to Patch Zero-Day Bug in Windows SymCrypt
CYBER NEWS

Microsoft Fails to Patch Zero-Day Bug in Windows SymCrypt

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...


Tavis Ormandy, security researcher at Google’s Project Zero, has “noticed a bug in SymCrypt, the core library that handles all crypto on Windows.” The bug is a zero-day of the DoS (denial-of-service) type.




The bug means that “basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything)”, the researcher revealed in a series of tweets. Apparently, Microsoft committed to fixing it in 90 days, but it still hasn’t.

Initially, the company said that they would like to issue a bulletin for the issue, but need until June 11th. On that day, however, Microsoft noted that “the patch won’t ship today”. A patch wouldn’t be ready until the July release due to issues found in testing.

More about the SymCrypt bug

The issue is located in Windows’ SymCrypt core cryptographic library that has been available for symmetric algorithms since Windows 8. SymCrypt is also considered the primary crypto library for asymmetric algorithms on the Windows 10 1703 build.

A bug report about the issue is now available on Chromium, after the 90-day deadline has passed. This is what the bug report says:

There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.

In addition, Ormandy has been able to construct an X.509 certificate that triggers the bug. The researcher also discovered that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, will “effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted”.

Related: Google’s ProjectZero Puzzled by Microsoft, CVE-2017-0037 Still Not Patched

Since lots of software that handles untrusted content (such as antivirus programs) call these routines on untrusted data, this would cause them to deadlock.

Even though the bug is low in severity, it shouldn’t be overlooked. A patch is expected to be delivered via July 2018’s Patch Tuesday.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...