Tavis Ormandy, a vulnerability researcher at Google, uncovered a security issue in SymCrypt, the core cryptographic library for Windows, which the Microsoft team is still trying to fix. Ormandy says that if the vulnerability is exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily”.
Ormandy said that Microsoft had “committed to fixing it in 90 days”. This was in line with Google’s 90 days deadline for fixing or publicly disclosing bugs that its researchers find.
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
— Tavis Ormandy (@taviso) June 11, 2019
On Mar 13, 2019, Ormandy informed Microsoft of this vulnerability and also posted this issue on Google’s Project Zero site. On March 26, Microsoft replied saying that it would issue a security bulletin and fix for this in the June 11 Patch Tuesday run.
On June 11, Ormandy said that the Microsoft Security Response Center (MSRC) had “reached out and noted that the patch won’t ship today and wouldn’t be ready until the July release due to issues found in testing”.
“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric”, the bug report mentions.
“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock” Ormandy further added.
“The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticizing Ormandy for the move; and were met with short shrift”, CBR Online states.
Those of us actually on the frontlines of vulnerability research deal with something a little different. The Microsoft you're so enamored with didn't just appear, we had to fight for it. What's petty is hurling insults without even putting in some effort to understand context.
— Tavis Ormandy (@taviso) June 11, 2019
Davey Winder from Forbes approached The Beer Farmers, a group of information security professionals on this issue. John Opdenakker, an ethical hacker from the group, said, “in general if you privately disclose a vulnerability to a company and the company agrees to fix it within a reasonable period of time I think it’s fair to publicly disclose it if they then don’t fix it on time.”
Another Beer Farmer professional, Sean Wright points out this is a denial of service vulnerability and there are many other ways to achieve this, which makes it a low severity issue. Wright said to Forbes, “Personally I think it’s a bit harsh, every fix is different and they should allow for some flexibility in their deadline.”
A Microsoft spokesperson said in a statement to Forbes, “Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible. We worked to meet the researcher’s deadline for disclosure; however, a customer-impacting regression was discovered that prevented the update from being released on schedule. We advised the researcher of the delay as soon as we were able. Developing a security update is a delicate balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection with minimal customer disruption.”
To know more about this news in detail, head over to Google’s Project Zero website.