Microsoft Bug Disclosed Before Patch Available

As we have mentioned before the cycle of bugs found to patches released can sometimes be long. Tavis Ormandy has disclosed this bug in Microsoft Windows’ SymCrypt. Which can cause your system to have to reboot (with the right file or data passing through).  Tavis Ormandy is a Vulnerability researcher at Google.

This bug is the underlying infrastructure for within a core crypto -library

From a Reddit post this is a good explanation:

Tavis Ormandy found a bug in Windows core crypto-library SymCrypt. PoC(Proof of Concept) is based on a crafted X.509 certificate. For example: embedding this file in a S/MIME email could crash a windows server remotely. Since more than 90 days have passed Project Zero made this bug public (Patch should follow in July)

Here is the SymCrypt page:

SymCrypt is the core cryptographic function library currently used by Windows.


The library was started in late 2006 with the first sources committed in Feb 2007. Initially the goal was limited to implement symmetric cryptographic operations, hence the name. Starting with Windows 8, it has been the primary crypto library for symmetric algorithms.

In 2015 we started the work of adding asymmetric algorithms to SymCrypt. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows.


So what is the true meaning of this bug?

A ‘well crafted’ certificate or otherwise another way to kick off this bug can cause your machine to hang (DOS – Denial of Service).  In general someone has not found a mass market way to hit thousands of machines (YET!).

Thus it is not a high priority problem to be fixed, but it does need to be. It is slated to come out in the July patch update (2nd Tuesday) July 9th.

Contact us to understand the patch cycle process:

If you see my image above that is Day60, so Microsoft has not forced the fix before day91 due to the low risk nature of this problem. I.e. rebooting is annoying but at least hackers are not reformatting all your data with ransomware.  So it looks like with a July 9 patchday it will be close to Day 117+

This is unfortunately typical as it is not that easy to create a patch for hundreds of different devices.  I also wonder if this issue could have been better handled by Tavis,  or if this is a small competition thing between Google and Microsoft. Either way we have to pick up the pieces and deal with the possible consequences.



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.