Experts contend Microsoft canceled Feb. updates to patch NSA exploits

'Not realistic' that patching work ground to a halt because six bugs had to be quashed, counters patch expert

IDG

IDG

Microsoft delayed its February security update slate to finish patching critical flaws in Windows that a hacker gang tried to sell, several security experts have argued.

"Looks like Microsoft had been informed by 'someone,' and purposely delayed [February's] Patch Tuesday to successfully deliver MS17-010," tweeted Matt Suiche, founder of Dubai-based security firm Comae Technologies.

MS17-010, one of several security bulletins Microsoft issued in March, was just one of several cited Friday by the Redmond, Wash. developer when it said it had already patched most of the vulnerabilities exploited by just-leaked hacking tools.

Those tools -- 12 different Windows exploits -- had been included in a large data dump made April 14 by a hacker group dubbed Shadow Brokers, which is believed to have ties to Russia. The exploits, as well as a trove of documents, had been stolen from the National Security Agency (NSA), Shadow Brokers claimed.

In January, the gang tried to sell the exploits, but bidders failed to materialize. As it advertised its wares, Shadow Brokers posted screenshots of the tools' codenames, which matched what Microsoft said Friday it had previously patched.

The timing -- Shadow Brokers' January auction, Microsoft's MS17-010 release in March -- and the unprecedented, and still unexplained, decision by the latter to postpone all of February's security updates, brought several security professionals, including Suiche, to the same connect-the-dots conclusions.

First, someone reported the six vulnerabilities patched in MS17-010 to Microsoft. Second, Microsoft -- working frantically to fix the flaws before Shadow Brokers went public or succeeded in selling the exploits -- canceled February's updates to focus all its attention on delivering the patches in March.

"Remember how [Microsoft] had to push back February security updates to March?" asked SwiftonSecurity, the Twitter nickname for someone who claims to be a Windows system administrator for the North American subsidiary of a multinational corporation. "Was probably to make sure they fixed all the NSA exploits in one pass." A few minutes later, SwiftonSecurity added, "This is an unsourced personal guess and has no evidence. Microsoft will probably never confirm anything."

The evidence, admittedly, is circumstantial.

Shadow Brokers claimed in January that it had exploits of Windows SBM (Server Message Block), the OS's network file sharing protocol. All six vulnerabilities patched in MS17-010 were in SMB, with five rated "Critical," Microsoft's most severe ranking, and were characterized as "Remote Code Execution" flaws, meaning they could be used to run attack code on a victimized system.

"The vulnerabilities had remote code abilities," Suiche pointed out in an interview as he stressed the importance of getting patches out pronto. "And SMB ships in large portions of Windows."

According to Microsoft, the critical vulnerabilities patched by the MS17-010 update were present in Windows Vista, Windows 7, Windows 8.1, Windows 10, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2 and Server 2016. In other words, every supported version of the operating system.

Also noteworthy was that Microsoft did not acknowledge who or what organization reported the six vulnerabilities. Although Microsoft does omit acknowledgments -- typically because the reporting researcher has requested anonomity, or because Microsoft's own engineers uncovered the flaw -- it does so only rarely. More important, it would be very unusual for six vulnerabilities bundled into a bulletin to all come sans an acknowledgment.

Two months ago, Microsoft issued only a vague statement when it canceled February's patches, saying, "We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates."

Nor has the company explained how it came to find the vulnerabilities it rushed to patch in MS17-010. Although Microsoft asserted that it had not been alerted by outsiders, it did not respond to questions from Computerworld, including how it learned of the bugs.

One patch expert was skeptical that Microsoft had, in fact, shoved aside February's patch set to get MS17-010 out the door.

"Microsoft's developers are so siloed," said Chris Goettl, product manager at Ivanti, formerly Shavlik, referring to how the company segregates, say, the Office team from the Windows team from the Internet Explorer team. His point: It's unreasonable to think that every engineer would be shunted to work on the SMB patches.

"That they stopped everything to put everyone on the SMB thing, that's not realistic," said Goettl, who stuck with his February bet that the patches were canceled because Microsoft had an update infrastructure meltdown.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Daily BriefingMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?