Security researcher discovers bug within SymCrypt

Google vulnerability researcher discovers bug within SymCrypt

Tavis Ormandy, one of Google’s “Project Zero” team’s security researchers discovered a vulnerability that could effectively perform a denial-of-service attack on Windows servers. There is a 90-day disclosure deadline associated with Project Zero, and since it was day 91, Ormandy released the information.

  • By Kaitlyn DeHaven
  • Jun 14, 2019

A vulnerability researcher who is part of Google’s “Project Zero” team discovered a bug within SymCrypt, the core cryptographic library responsible for implementing asymmetric crypto algorithms in Windows 10 and symmetric crypto algorithms in Windows 8. Davey Winder, a contributor for the Forbes cybersecurity section, said that when the researcher used a malformed digital certificate, he could force the SymCrypt calculations into an infinite loop. This would effectively perform a denial-of-service (DoS) attack on Windows servers such as those running the IPsec protocols that are required when using a VPN or the Microsoft Exchange Server for email and calendaring for example.

The Project Zero deadline to fix issues is 90 days, and because Tuesday, June 11 was day 91, researcher Tavis Ormandy tweeted the issue to make it public. He said that the bug isn’t serious in his opinion, but it’s certainly something to be aware of.

“I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it’s worth being aware of,” Ormandy said in his tweet.

Adam Laub, SVP Product Management at STEALTHbits Technologies said that although this issue is “low severity,” it could be a lot more pungent for organizations that are having a hard time implementing the fix.

“This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed,” Laub said. “The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix.”

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Tradeshow Work Can Be Fun

    While at ISC West last week, I ran into numerous friends and associates all of which was a pleasant experience. The first question always seemed to be, “How many does this make for you?” Read Now

    • Industry Events
    • ISC West

  • New Report Says 1 in 5 SMBs Would Be Forced to Shutter After Successful Cyberattack

    Small and medium-sized businesses (SMBs) play a crucial role in the U.S. economy, making up 99.9% of all businesses and contributing to half of the nation's GDP. However, these vital economic growth drivers face an escalating threat—cyberattacks that could put them out of business. Read Now

  • The Yellow Brick Road

    The road to and throughout Wednesday's and Thursday's ISC West was crowded but it was amazing. Read Now

    • Industry Events
    • ISC West

  • An Inside Look From Napco at ISC West

    Get a look into the excitement at ISC West 2025 from Napco. Hear from some of their top-tech executives live from the show floor. Read Now

    • Industry Events
    • ISC West

  • Upping the Ante

    I am not a betting man in terms of cards, dice, blackjack or that wheel with the black marble racing around the circumference of a spinning wheel, but I would bet on the success of ISC West this year. Read Now

    • Industry Events
    • ISC West
Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.