Ormandy says this problem has been evident since Windows 8. More worryingly, he claims the SymCrypt bug is bad enough that it could be exploited to “take down a Windows fleet pretty quickly”. If you are unfamiliar with SymCrypt, it is a Microsoft open-source project that it uses as a crypto library. The tool has been around since Windows 8 and it Microsoft’s lead crypto library for symmetric algorithm and asymmetric algorithms. “There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric,” explained Ormandy in a write-up for Microsoft’s June Patch Tuesday yesterday.
Fix
Google Project Zero typically informs software vendors of vulnerabilities privately. Those vendors then have 90 days to issue a fix for the problem. If the 90 days passes, Project Zero discloses the flaw publicly. “I’ve been able to construct an X.509 certificate that triggers the bug,” explained Ormandy. “I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (eg ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.” Microsoft has agreed to patch the SymCrypt within the 90 days limit. However, Tim Willis, a senior engineering manager with Project Zero says Microsoft Security Response Center (MSRC) will not roll out that patch until July.