Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google expert disclosed details of an unpatched flaw in SymCrypt library

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system. The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be […]

DataVault encryption software

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system.

The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

The vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy publicly released details and proof-of-concept of the vulnerability.

Ormandy privately reported the flaw to Microsoft in March 2019, but the tech giant failed into fixing it after 90 days.

The unpatched vulnerability affects Windows 8 servers and above.

According to Microsoft, SymCrypt is the primary library for implementing symmetric cryptographic algorithms in Windows 8, it also implements asymmetric cryptographic algorithms starting with Windows 10 version 1703.

Ormandy discovered that it is possible to trigger the flaw to cause an infinite loop when making specific cryptographic operations.

“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” wrote the expert.

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

The white hat hacker used a specially crafted X.509 digital certificate to trigger the flaw, he explained that any application running on the system that processes the certificate can trigger the vulnerability.

Specially crafted certificates could be provided in multiple ways, for example in digitally signed and encrypted messages via the S/MIME protocol.

Ormandy explained that is some cases it would be necessary to reboot the vulnerable machine to return in a normal state.

Microsoft Security Response Center (MSRC) told the Google expert that the company will not able to provide a security patch before next month.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SymCrypt, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]