Experts contend Microsoft canceled Feb. updates to patch NSA exploits

'Not realistic' that patching work ground to a halt because six bugs had to be quashed, counters patch expert



Microsoft delayed its February security update slate to finish patching critical flaws in Windows that a hacker gang tried to sell, several security experts have argued.

"Looks like Microsoft had been informed by 'someone,' and purposely delayed [February's] Patch Tuesday to successfully deliver MS17-010," tweeted Matt Suiche, founder of Dubai-based security firm Comae Technologies.

MS17-010, one of several security bulletins Microsoft issued in March, was just one of several cited Friday by the Redmond, Wash. developer when it said it had already patched most of the vulnerabilities exploited by just-leaked hacking tools.

Those tools -- 12 different Windows exploits -- had been included in a large data dump made April 14 by a hacker group dubbed Shadow Brokers, which is believed to have ties to Russia. The exploits, as well as a trove of documents, had been stolen from the National Security Agency (NSA), Shadow Brokers claimed.

In January, the gang tried to sell the exploits, but bidders failed to materialize. As it advertised its wares, Shadow Brokers posted screenshots of the tools' codenames, which matched what Microsoft said Friday it had previously patched.

The timing -- Shadow Brokers' January auction, Microsoft's MS17-010 release in March -- and the unprecedented, and still unexplained, decision by the latter to postpone all of February's security updates, brought several security professionals, including Suiche, to the same connect-the-dots conclusions.

First, someone reported the six vulnerabilities patched in MS17-010 to Microsoft. Second, Microsoft -- working frantically to fix the flaws before Shadow Brokers went public or succeeded in selling the exploits -- canceled February's updates to focus all its attention on delivering the patches in March.

"Remember how [Microsoft] had to push back February security updates to March?" asked SwiftonSecurity, the Twitter nickname for someone who claims to be a Windows system administrator for the North American subsidiary of a multinational corporation. "Was probably to make sure they fixed all the NSA exploits in one pass." A few minutes later, SwiftonSecurity added, "This is an unsourced personal guess and has no evidence. Microsoft will probably never confirm anything."

The evidence, admittedly, is circumstantial.

Shadow Brokers claimed in January that it had exploits of Windows SBM (Server Message Block), the OS's network file sharing protocol. All six vulnerabilities patched in MS17-010 were in SMB, with five rated "Critical," Microsoft's most severe ranking, and were characterized as "Remote Code Execution" flaws, meaning they could be used to run attack code on a victimized system.

"The vulnerabilities had remote code abilities," Suiche pointed out in an interview as he stressed the importance of getting patches out pronto. "And SMB ships in large portions of Windows."

According to Microsoft, the critical vulnerabilities patched by the MS17-010 update were present in Windows Vista, Windows 7, Windows 8.1, Windows 10, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2 and Server 2016. In other words, every supported version of the operating system.

Also noteworthy was that Microsoft did not acknowledge who or what organization reported the six vulnerabilities. Although Microsoft does omit acknowledgments -- typically because the reporting researcher has requested anonomity, or because Microsoft's own engineers uncovered the flaw -- it does so only rarely. More important, it would be very unusual for six vulnerabilities bundled into a bulletin to all come sans an acknowledgment.

Two months ago, Microsoft issued only a vague statement when it canceled February's patches, saying, "We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates."

Nor has the company explained how it came to find the vulnerabilities it rushed to patch in MS17-010. Although Microsoft asserted that it had not been alerted by outsiders, it did not respond to questions from Computerworld, including how it learned of the bugs.

One patch expert was skeptical that Microsoft had, in fact, shoved aside February's patch set to get MS17-010 out the door.

"Microsoft's developers are so siloed," said Chris Goettl, product manager at Ivanti, formerly Shavlik, referring to how the company segregates, say, the Office team from the Windows team from the Internet Explorer team. His point: It's unreasonable to think that every engineer would be shunted to work on the SMB patches.

"That they stopped everything to put everyone on the SMB thing, that's not realistic," said Goettl, who stuck with his February bet that the patches were canceled because Microsoft had an update infrastructure meltdown.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftDaily Briefing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?