Microsoft delays Windows zero-day patch; researcher drops exploit code

A researcher released the exploit code for an SMB vulnerability after Microsoft delayed the Windows zero-day patch because of the relatively low risk of the issue.

Laurent Gaffié, an independent security researcher, discovered the flaw in the Windows Server Message Block (SMB) 3.0 protocol, which could allow an attacker to perform a denial-of-service attack and cause a system reboot if a user were to follow a malicious link. Gaffié told Threatpost he disclosed the SMB vulnerability to Microsoft in September 2016, but was delayed until February's Patch Tuesday because Microsoft didn't want to release a single Windows zero-day patch for SMB.

According to Gaffié, Microsoft had delayed patches for flaws he had found in the past.

"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule," Microsoft said in a statement.

If i'm not rewarded in any way for the free work I'm doing for this multi-billion company, why should I tolerate them sitting on my bugs?

— Responder (@PythonResponder) February 1, 2017

So, before the Windows zero-day patch could be released, Gaffié became impatient and released the proof-of-concept (POC) exploit code for the SMB flaw.

Amol Sarwate, director of engineering for Qualys Inc., based in Redwood City, Calif., looked at the vulnerability and told SearchSecurity it would rate a CVSS score of "about 6.5 on the low end and 7.1 on the high end out of 10."

"This SMB vulnerability is easy to exploit if the attacker is able to lure the victim to click on a link. The link connects the victim machine to a malicious SMB server, which responds in a way which causes the victim machine to crash," Sarwate said. "So, I think the most difficult part to exploit this vulnerability is to get the victim to click on the link. I think it can be used easily in a targeted attack."

Alex Cox, senior manager for RSA FirstWatch, said the POC code makes an attack easy, but the damage that can be done is relatively low.

"In this particular case, the vulnerability is denial-of-service only and doesn't allow code execution. So, from that perspective, it's low risk, as DoS is a typically a temporary condition fixed by a reboot of the affected machine," Cox told SearchSecurity.

Kevin Beaumont, security architect based in the U.K., said on Twitter that although the research is valid, the flaw is of "limited use" for threat actors.

Patch is due this month. If you have firewall which denies outbound SMB to internet you're covered from the potential client reboot.

— Kevin Beaumont 🤗 (@GossiTheDog) February 1, 2017

Cox said it was fine that Microsoft decided to delay the Windows zero-day patch.

"In this case, the researcher did ultimately follow a responsible disclosure process, so Microsoft is well-prepared to respond if the issue becomes more widespread," Cox said. "If anything else happens that raises the risk, such as a discovery of code execution capability or widespread attacks using the exploit, then an accelerated patch process would be warranted."