Experts contend Microsoft canceled Feb. updates to patch NSA exploits

'Not realistic' that patching work ground to a halt because six bugs had to be quashed, counters patch expert



Microsoft delayed its February security update slate to finish patching critical flaws in Windows that a hacker gang tried to sell, several security experts have argued.

"Looks like Microsoft had been informed by 'someone,' and purposely delayed [February's] Patch Tuesday to successfully deliver MS17-010," tweeted Matt Suiche, founder of Dubai-based security firm Comae Technologies.

MS17-010, one of several security bulletins Microsoft issued in March, was just one of several cited Friday by the Redmond, Wash. developer when it said it had already patched most of the vulnerabilities exploited by just-leaked hacking tools.

Those tools -- 12 different Windows exploits -- had been included in a large data dump made April 14 by a hacker group dubbed Shadow Brokers, which is believed to have ties to Russia. The exploits, as well as a trove of documents, had been stolen from the National Security Agency (NSA), Shadow Brokers claimed.

In January, the gang tried to sell the exploits, but bidders failed to materialize. As it advertised its wares, Shadow Brokers posted screenshots of the tools' codenames, which matched what Microsoft said Friday it had previously patched.

The timing -- Shadow Brokers' January auction, Microsoft's MS17-010 release in March -- and the unprecedented, and still unexplained, decision by the latter to postpone all of February's security updates, brought several security professionals, including Suiche, to the same connect-the-dots conclusions.

First, someone reported the six vulnerabilities patched in MS17-010 to Microsoft. Second, Microsoft -- working frantically to fix the flaws before Shadow Brokers went public or succeeded in selling the exploits -- canceled February's updates to focus all its attention on delivering the patches in March.

"Remember how [Microsoft] had to push back February security updates to March?" asked SwiftonSecurity, the Twitter nickname for someone who claims to be a Windows system administrator for the North American subsidiary of a multinational corporation. "Was probably to make sure they fixed all the NSA exploits in one pass." A few minutes later, SwiftonSecurity added, "This is an unsourced personal guess and has no evidence. Microsoft will probably never confirm anything."

The evidence, admittedly, is circumstantial.

Shadow Brokers claimed in January that it had exploits of Windows SBM (Server Message Block), the OS's network file sharing protocol. All six vulnerabilities patched in MS17-010 were in SMB, with five rated "Critical," Microsoft's most severe ranking, and were characterized as "Remote Code Execution" flaws, meaning they could be used to run attack code on a victimized system.

"The vulnerabilities had remote code abilities," Suiche pointed out in an interview as he stressed the importance of getting patches out pronto. "And SMB ships in large portions of Windows."

According to Microsoft, the critical vulnerabilities patched by the MS17-010 update were present in Windows Vista, Windows 7, Windows 8.1, Windows 10, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2 and Server 2016. In other words, every supported version of the operating system.

Also noteworthy was that Microsoft did not acknowledge who or what organization reported the six vulnerabilities. Although Microsoft does omit acknowledgments -- typically because the reporting researcher has requested anonomity, or because Microsoft's own engineers uncovered the flaw -- it does so only rarely. More important, it would be very unusual for six vulnerabilities bundled into a bulletin to all come sans an acknowledgment.

Two months ago, Microsoft issued only a vague statement when it canceled February's patches, saying, "We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates."

Nor has the company explained how it came to find the vulnerabilities it rushed to patch in MS17-010. Although Microsoft asserted that it had not been alerted by outsiders, it did not respond to questions from Computerworld, including how it learned of the bugs.

One patch expert was skeptical that Microsoft had, in fact, shoved aside February's patch set to get MS17-010 out the door.

"Microsoft's developers are so siloed," said Chris Goettl, product manager at Ivanti, formerly Shavlik, referring to how the company segregates, say, the Office team from the Windows team from the Internet Explorer team. His point: It's unreasonable to think that every engineer would be shunted to work on the SMB patches.

"That they stopped everything to put everyone on the SMB thing, that's not realistic," said Goettl, who stuck with his February bet that the patches were canceled because Microsoft had an update infrastructure meltdown.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftDaily Briefing

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?