90 days later, awaiting a patch…
A Google vulnerability researcher says he has identified a bug in SymCrypt, the core cryptography library for Windows, that when exploited in a denial of service (DoS) attack could “take down an entire Windows fleet relatively easily”.
After disclosing the bug to Microsoft on Wednesday, March 13, Tavis Ormandy said he was told that the company would need until today (June 11) to patch the issue, but was later told the patch will not ship until July owing to issues found in testing.
The bug was subject to a 90 day disclosure deadline. “Today is day 91, so the issue is now public” he tweeted, characterising the issue as low severity, despite the DoS possibilities (and hitting back at criticisms of the post-deadline disclosure).
I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't.
— Tavis Ormandy (@taviso) June 11, 2019
In a bug report filed on Google’s Project Zero site, he wrote: “Here’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.”
“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”
SymCrypt, Windows’ cryptographic function library, was started in late 2006 with the first sources committed in Feb 2007. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows. Microsoft notes in its GitHub repo that, like any engineering project, “SymCrypt is a compromise between conflicting requirements” including the need to minimise maintenance cost.
The disclosure a day after the deadline lapsed drew mixed reactions on social media, with some criticising Ormandy for the move; and were met with short shrift.
I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion. It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you.
— Richard Bejtlich (@taosecurity) June 11, 2019
The ensuing debate boiled down, fundamentally, to how much sympathy those involved had for Microsoft. Some argued that the company needs more time to test patches to core components. Other that it had received helpful free guidance that could help it avoid DOS attacks and that its failure to meet a deadline meant publication of the vuln. was perfectly understandable. Those making the latter point noted that Microsoft has reduced its QA team and botched recent software updates.
The company has been accused of having “dysfunctional software processes”.
Yes, Microsoft needs time to test patches to core components.
It's called "trying to make sure hundreds of millions of machines keep working"…along with hundreds of thousands to millions of apps. Most people (including me) have trouble even imagining what that scale is like.
— Nick Craver (@Nick_Craver) June 12, 2019