Microsoft delayed its February security update slate to finish patching critical flaws in Windows that a hacker gang tried to sell, several security experts have argued.
“Looks like Microsoft had been informed by ‘someone,’ and purposely delayed [February’s] Patch Tuesday to successfully deliver MS17-010,” tweeted Matt Suiche, founder of Dubai-based security firm Comae Technologies.
MS17-010, one of several security bulletins Microsoft issued in March, was just one of several cited Friday by the Redmond, Wash. developer when it said it had already patched most of the vulnerabilities exploited by just-leaked hacking tools.
Those tools — 12 different Windows exploits — had been included in a large data dump made April 14 by a hacker group dubbed Shadow Brokers, which is believed to have ties to Russia. The exploits, as well as a trove of documents, had been stolen from the National Security Agency (NSA), Shadow Brokers claimed.
In January, the gang tried to sell the exploits, but bidders failed to materialize. As it advertised its wares, Shadow Brokers posted screenshots of the tools’ codenames, which matched what Microsoft said Friday it had previously patched.
The timing — Shadow Brokers’ January auction, Microsoft’s MS17-010 release in March — and the unprecedented, and still unexplained, decision by the latter to postpone all of February’s security updates, brought several security professionals, including Suiche, to the same connect-the-dots conclusions.
First, someone reported the six vulnerabilities patched in MS17-010 to Microsoft. Second, Microsoft — working frantically to fix the flaws before Shadow Brokers went public or succeeded in selling the exploits — canceled February’s updates to focus all its attention on delivering the patches in March.
“Remember how [Microsoft] had to push back February security updates to March?” asked SwiftonSecurity, the Twitter nickname for someone who claims to be a Windows system administrator for the North American subsidiary of a multinational corporation. “Was probably to make sure they fixed all the NSA exploits in one pass.” A few minutes later, SwiftonSecurity added, “This is an unsourced personal guess and has no evidence. Microsoft will probably never confirm anything.”
The evidence, admittedly, is circumstantial.
Shadow Brokers claimed in January that it had exploits of Windows SBM (Server Message Block), the OS’s network file sharing protocol. All six vulnerabilities patched in MS17-010 were in SMB, with five rated “Critical,” Microsoft’s most severe ranking, and were characterized as “Remote Code Execution” flaws, meaning they could be used to run attack code on a victimized system.
“The vulnerabilities had remote code abilities,” Suiche pointed out in an interview as he stressed the importance of getting patches out pronto. “And SMB ships in large portions of Windows.”
According to Microsoft, the critical vulnerabilities patched by the MS17-010 update were present in Windows Vista, Windows 7, Windows 8.1, Windows 10, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2 and Server 2016. In other words, every supported version of the operating system.
Also noteworthy was that Microsoft did not acknowledge who or what organization reported the six vulnerabilities. Although Microsoft does omit acknowledgments — typically because the reporting researcher has requested anonomity, or because Microsoft’s own engineers uncovered the flaw — it does so only rarely. More important, it would be very unusual for six vulnerabilities bundled into a bulletin to all come sans an acknowledgment.
Two months ago, Microsoft issued only a vague statement when it canceled February’s patches, saying, “We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates.”
Nor has the company explained how it came to find the vulnerabilities it rushed to patch in MS17-010. Although Microsoft asserted that it had not been alerted by outsiders, it did not respond to questions from Computerworld, including how it learned of the bugs.
One patch expert was skeptical that Microsoft had, in fact, shoved aside February’s patch set to get MS17-010 out the door.
“Microsoft’s developers are so siloed,” said Chris Goettl, product manager at Ivanti, formerly Shavlik, referring to how the company segregates, say, the Office team from the Windows team from the Internet Explorer team. His point: It’s unreasonable to think that every engineer would be shunted to work on the SMB patches.
“That they stopped everything to put everyone on the SMB thing, that’s not realistic,” said Goettl, who stuck with his February bet that the patches were canceled because Microsoft had an update infrastructure meltdown.