As a consequence of skipping its February Patch Tuesday release, Microsoft is leaving two publicly disclosed vulnerabilities unpatched with proof-of-concept exploits available for both.
That raises the stakes exponentially on possible attacks, said Tod Beardsley, senior research director at Rapid7. “While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” he said. Beardsley said he could not recall a time when Microsoft has had fixes announced for publicly demonstrable issues, and then failed to release them.
Last week, Microsoft announced it would skip its regular Patch Tuesday release of security bulletins and patches. It didn’t say specifically why, but there are published reports that reveal Microsoft was experiencing problems with its build system, causing the delay.
One of the vulnerabilities left unpatched is a flaw in Windows’ GDI library disclosed by Google Project Zero on Monday. That flaw (CVE-2017-0038) allows attackers to access junk heap data, which may include sensitive information, such as private user data or information about the virtual address space, according to Google.
The second bug was disclosed earlier this month by researcher Laurent Gaffie, which prompted an advisory by the Department of Homeland Security’s CERT at the Software Engineering Institute at Carnegie Mellon University. DHS warned that the vulnerability (CVE-2017-0016) is tied to a Windows (SMB) file-sharing component allows adversaries to crash Windows 8.1 and Windows 10.
“Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system,” according to the CERT advisory. “The CERT/CC is currently unaware of a practical solution to this problem.”
The SMB flaw was found in September by Gaffié. At the beginning of February, Gaffié release proof-of-concept exploit code to GitHub, with the expectation Microsoft was going to patch the vulnerability. Instead, on Feb. 14, Microsoft said it would not release its patches as scheduled. “We will deliver updates as part of the planned March Update Tuesday, March 14, 2017,” it wrote in a blog post to TechNet. “This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today.”
Beardsley said that both the SMB Tree connect response denial-of-service and the GDI out-of-bounds heap memory read vulnerabilities have easily obtained, publicly available proof-of-concept code that demonstrates how the security flaws could be exploited.
The more serious of the two unpatched vulnerabilities, Beardsley said, is the Windows’ GDI library issue. “Reading from nearby heap memory can disclose private and sensitive memory contents, especially in applications that routinely create new connections for users,” he said. “While this level of memory disclosure has not yet been demonstrated with the GDI issue, and exploitation is going to be application specific, the risk is there for targeted read attacks.”
“That said, these vulnerabilities will be difficult to trigger in a way that is useful to attackers,” he said. “Neither of these issues are exposed in a basic, widely distributed server configuration. They require special application-level circumstances to be exposed, so I don’t expect to see widespread attacks leveraging these vulnerabilities.”
In the absence of a Microsoft patch for the Windows SMB bug, CERT recommends blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
Remediation for the Windows’ GDI library vulnerability, until Microsoft issues a patch, includes: “a careful audit of all EMF record handlers responsible for dealing with DIBs, in order to make sure that each of them correctly enforces all four conditions necessary to prevent invalid memory access (and subsequent memory disclosure) while processing the bitmaps,” according to Google Project Zero.
On Tuesday, Microsoft did address one vulnerability, announcing the availability of updates that address Adobe Flash Player vulnerabilities impacting its Internet Explorer and Edge browsers that allow attackers to execute remote code.
The Flash update was released by Adobe last week on schedule. The update addressed a bevy of remote code execution vulnerabilities in its Adobe Flash Player effecting Windows, macOS and Chrome. Each of the Adobe fixes involve memory-related issues that would allow an attacker to execute code on the host system running Flash.