With Microsoft postponing the regularly scheduled “Patch Tuesday” updates, the internet is abuzz with speculation on why. Microsoft’s lack of explanation or details pertaining to the delay only added to the rumor mill. Lifted from Microsoft’s blog posting:
“Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems. This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.”
One of the more moderate guesses (source: ZDNet) says that Microsoft was simply having technical difficulties with their patch build system. If true the explanation would alleviate fears of the second rumor. Also, this explanation doesn’t quite fit their statement, so I’m guessing it’s not so sound?
The second rumor however (source: Almost everywhere), has some weight behind it. And that is; Microsoft has yet to fix the SMB bug that has been a point of contention over the past few months, and this is why they were unable to send the patch. They may have found an additional flaw in their fix that could have caused problems for the system. Without Microsoft’s clarification on this matter, we’re left to guess.
The SMB bug is a flaw in Windows client processing of Server Message Block, which is Windows file and printer sharing protocols. In short; Windows could mishandle traffic from a malicious server, causing a memory corruption and faulting to a BSOD (Blue Screen of Death). US CERT upped the threat level, saying that the exploit could be used for RCE (Remote Code Execution) with possible Kernel privileges. Which, is as bad as it gets.
While it’s not uncommon for Microsoft, or any vendor, to give vague answers about security delays or issues. It is a bit strange that they’ve had well over enough time to patch this seemingly easy fix, yet they haven’t.
When security researcher Laurent Gaffie warned Microsoft of the flaw, he gave them the usual 90-day clock to present a patch. They didn’t? As a result, he published a PoC (Proof of Concept) on Git.
We’ll continue to speculate as to why Microsoft hasn’t put out a patch, but for this article, I’d like to wager that they may have found more bugs in SMB than they bargained for. But that’s just my guess.
In the meantime, US CERT suggests blocking all SMB outbound traffic.