Security researcher discovers bug within SymCrypt -- Security Today

Security researcher discovers bug within SymCrypt

Google vulnerability researcher discovers bug within SymCrypt

Tavis Ormandy, one of Google’s “Project Zero” team’s security researchers discovered a vulnerability that could effectively perform a denial-of-service attack on Windows servers. There is a 90-day disclosure deadline associated with Project Zero, and since it was day 91, Ormandy released the information.

By Kaitlyn DeHaven
Jun 14, 2019

A vulnerability researcher who is part of Google’s “Project Zero” team discovered a bug within SymCrypt, the core cryptographic library responsible for implementing asymmetric crypto algorithms in Windows 10 and symmetric crypto algorithms in Windows 8. Davey Winder, a contributor for the Forbes cybersecurity section, said that when the researcher used a malformed digital certificate, he could force the SymCrypt calculations into an infinite loop. This would effectively perform a denial-of-service (DoS) attack on Windows servers such as those running the IPsec protocols that are required when using a VPN or the Microsoft Exchange Server for email and calendaring for example.

The Project Zero deadline to fix issues is 90 days, and because Tuesday, June 11 was day 91, researcher Tavis Ormandy tweeted the issue to make it public. He said that the bug isn’t serious in his opinion, but it’s certainly something to be aware of.

“I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it’s worth being aware of,” Ormandy said in his tweet.

Adam Laub, SVP Product Management at STEALTHbits Technologies said that although this issue is “low severity,” it could be a lot more pungent for organizations that are having a hard time implementing the fix.

“This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed,” Laub said. “The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix.”

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

May/June 2019

Featuring:

• A Healthcare Revolution
• Security Beyond the Field
• Secure Your Engines
• One Step Ahead
• Elevating Data Security
View This Issue

Whitepapers

Webinars

New Products

View All Products

Google vulnerability researcher discovers bug within SymCrypt

Police Investigate How 12-Year-Old Boy Slipped Through Security and Boarded Flight at Heathrow Airport

Use of Aging Software on Voting Machines Raises Cybersecurity Concerns

House Passes Two Bills Aimed at Improving Cybersecurity for Small Businesses

Sensitive Information of Over 1.4 Million Students 'Improperly Stored' by Maryland Government

Amazon Patent Shows Potential for Drones To Be Next Frontier in Home Security

Police Investigate How 12-Year-Old Boy Slipped Through Security and Boarded Flight at Heathrow Airport

Digital Edition

May/June 2019

Whitepapers

Perimeter and Intruder Security for Educational Establishments

Avoiding an Identity Crisis: Why Advanced Visual Security is a Critical First Line of Defense

Beginners Guide to Encryption and Key Management

Webinars

Active Shooter Webinar - Active Violence Prevention, Preparation and Response

Access Control - How to protect legacy systems from common vulnerabilities

Video Content Analytics - Optimizing the Video Surveillance Landscape

New Products

5-Port Switch

SecureCircle