Security researcher discovers bug within SymCrypt

Google vulnerability researcher discovers bug within SymCrypt

Tavis Ormandy, one of Google’s “Project Zero” team’s security researchers discovered a vulnerability that could effectively perform a denial-of-service attack on Windows servers. There is a 90-day disclosure deadline associated with Project Zero, and since it was day 91, Ormandy released the information.

  • By Kaitlyn DeHaven
  • Jun 14, 2019

A vulnerability researcher who is part of Google’s “Project Zero” team discovered a bug within SymCrypt, the core cryptographic library responsible for implementing asymmetric crypto algorithms in Windows 10 and symmetric crypto algorithms in Windows 8. Davey Winder, a contributor for the Forbes cybersecurity section, said that when the researcher used a malformed digital certificate, he could force the SymCrypt calculations into an infinite loop. This would effectively perform a denial-of-service (DoS) attack on Windows servers such as those running the IPsec protocols that are required when using a VPN or the Microsoft Exchange Server for email and calendaring for example.

The Project Zero deadline to fix issues is 90 days, and because Tuesday, June 11 was day 91, researcher Tavis Ormandy tweeted the issue to make it public. He said that the bug isn’t serious in his opinion, but it’s certainly something to be aware of.

“I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it’s worth being aware of,” Ormandy said in his tweet.

Adam Laub, SVP Product Management at STEALTHbits Technologies said that although this issue is “low severity,” it could be a lot more pungent for organizations that are having a hard time implementing the fix.

“This finding demonstrates just how important this type of research is in helping organizations mitigate risks no one ever knew existed,” Laub said. “The frightening part about this vulnerability and others that can be remedied with a simple patch, however, is that many organizations will have a very difficult time actually implementing the fix.”

About the Author

Kaitlyn DeHaven is the Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • UL Solutions Launches Artificial Intelligence Safety Certification Services

    UL Solutions Inc., a global leader in safety science, today announced the launch of artificial intelligence (AI) safety certification services, enabling comprehensive assessments for evaluating the safety of AI-powered products. Read Now

  • ESA Announces Initiative to Introduce the SECURE Act in State Legislatures

    The Electronic Security Association (ESA), the national voice for the electronic security and life safety industry, has announced plans to introduce the SECURE Act in state legislatures across the country beginning in 2025. The proposal, known as Safeguarding Election Candidates Using Reasonable Expenditures, provides a clear framework that allows candidates and elected officials to use campaign funds for professional security services. Read Now

    • Guard Services

  • Ransomware Attacks Rise for the First Time in Six Months

    Ransomware attacks have risen for the first time in six months, increasing by 28% month-on-month to 421 attacks. While overall attack volume remained below 500, the uptick may signal a renewed escalation heading into the year’s most active period for cyber criminals. Read Now

  • Report: 47 Percent of Security Service Providers Are Not Yet Using AI or Automation Tools

    Trackforce, a provider of security workforce management platforms, today announced the launch of its 2025 Physical Security Operations Benchmark Report, an industry-first study that benchmarks both private security service providers and corporate security teams side by side. Based on a survey of over 300 security professionals across the globe, the report provides a comprehensive look at the state of physical security operations. Read Now

    • Guard Services

  • Identity Governance at the Crossroads of Complexity and Scale

    Modern enterprises are grappling with an increasing number of identities, both human and machine, across an ever-growing number of systems. They must also deal with increased operational demands, including faster onboarding, more scalable models, and tighter security enforcement. Navigating these ever-growing challenges with speed and accuracy requires a new approach to identity governance that is built for the future enterprise. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.