igor - Fotolia

Microsoft delays Windows zero-day patch; researcher drops exploit code

Microsoft decided to delay a Windows zero-day patch by two months, prompting the researcher who found it to post the proof-of-concept exploit code.

A researcher released the exploit code for an SMB vulnerability after Microsoft delayed the Windows zero-day patch because of the relatively low risk of the issue.

Laurent Gaffié, an independent security researcher, discovered the flaw in the Windows Server Message Block (SMB) 3.0 protocol, which could allow an attacker to perform a denial-of-service attack and cause a system reboot if a user were to follow a malicious link. Gaffié told Threatpost he disclosed the SMB vulnerability to Microsoft in September 2016, but was delayed until February's Patch Tuesday because Microsoft didn't want to release a single Windows zero-day patch for SMB.

According to Gaffié, Microsoft had delayed patches for flaws he had found in the past.

"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule," Microsoft said in a statement.

So, before the Windows zero-day patch could be released, Gaffié became impatient and released the proof-of-concept (POC) exploit code for the SMB flaw.

Amol Sarwate, director of engineering for Qualys Inc., based in Redwood City, Calif., looked at the vulnerability and told SearchSecurity it would rate a CVSS score of "about 6.5 on the low end and 7.1 on the high end out of 10."

"This SMB vulnerability is easy to exploit if the attacker is able to lure the victim to click on a link. The link connects the victim machine to a malicious SMB server, which responds in a way which causes the victim machine to crash," Sarwate said. "So, I think the most difficult part to exploit this vulnerability is to get the victim to click on the link. I think it can be used easily in a targeted attack."

Alex Cox, senior manager for RSA FirstWatch, said the POC code makes an attack easy, but the damage that can be done is relatively low.

"In this particular case, the vulnerability is denial-of-service only and doesn't allow code execution. So, from that perspective, it's low risk, as DoS is a typically a temporary condition fixed by a reboot of the affected machine," Cox told SearchSecurity.

Kevin Beaumont, security architect based in the U.K., said on Twitter that although the research is valid, the flaw is of "limited use" for threat actors.

Cox said it was fine that Microsoft decided to delay the Windows zero-day patch.

"In this case, the researcher did ultimately follow a responsible disclosure process, so Microsoft is well-prepared to respond if the issue becomes more widespread," Cox said. "If anything else happens that raises the risk, such as a discovery of code execution capability or widespread attacks using the exploit, then an accelerated patch process would be warranted."

Next Steps

Learn more about how the ImageTragick bug raised questions about responsible disclosure reporting.

Find out why experts question Microsoft's Windows zero-day patch response.

Get answers to questions about Server Message Block v3.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing