A Google vulnerability researcher says he has identified a bug in SymCrypt, the core cryptography library for Windows, that when exploited in a denial of service (DoS) attack could “take down an entire Windows fleet relatively easily”. After disclosing the bug to Microsoft on Wednesday, March 13, Tavis Ormandy said he was told that the company would need until today (June 11) to patch the issue, but was later told the patch will not ship until July owing to issues found in testing. I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. In a bug report filed on Google’s Project Zero site, he wrote: “Here’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” SymCrypt, Windows’ cryptographic function library, was started in late 2006 with the first sources committed in Feb 2007. Since the 1703 release of Windows 10, SymCrypt has been the primary crypto library for all algorithms in Windows.