When researchers find vulnerabilities that leave older systems exposed, should Microsoft create patches or encourage upgrades? Experts weigh in.
When security researchers unearth flaws in Microsoft systems and software, the company is put in a tough situation: does it create fixes and prolong users’ reliance on older software in lieu of upgrading? Or does it leave vulnerabilities unpatched and users exposed?
The company’s decision to choose the latter was a topic of conversation at Black Hat USA and DEF CON last month. Researchers presented on security holes Microsoft had declined to patch and instead offered users guidance and workarounds to protect their systems from attack.
Microsoft traditionally does not patch flaws in older tech. In June 2017, for example, FortiGuard Labs reported a WINS Server remote memory corruption vulnerability in Microsoft Windows Server. The flaw existed because a remote memory corruption was triggered when handling malformed WINS packets.
Because the functionality WINS provided was later replaced by DNS, Microsoft urged users to migrate away from WINS instead of patching the hole. A fix “would require a complete overhaul of the code to be considered comprehensive,” the company said.
“This one does sort of fall into the ‘so old it’s not worth patching category,'” says RiskSense senior security analyst Sean Dillon. “But realistically the issue should only take a single developer less than a day to fix.
“There’s no reason or excuse to ship known-vulnerable software,” he continues. “If you’re still shipping the code, someone is using it. Either fix it, or remove it.”
Microsoft has created patches for older systems on rare occasions, as we saw in its massive June security update following WannaCry. The release included fixes for Windows XP and Windows Server, in addition to Windows, Office, Skype, Internet Explorer, and Microsoft Edge.
However, sometimes security flaws in modern systems go unaddressed and could potentially put businesses at risk.
This is the case with SMBLoris, a vulnerability in the Server Message Block (SMB) file sharing protocol affecting SMBv1, SMBv2, and SMBv3, as well as the Samba Linux server enabling SMB interoperability with Linux systems. All versions of Windows released since 2000 are vulnerable.
Unauthenticated attackers could use SMBLoris to connect with a remote machine via SMB and instruct it to handle the connection using RAM. Using this foothold, they could open thousands of connections to the same target device, exhaust its RAM, and potentially crash it.
SMBLoris, which Dillon discovered while analyzing the EternalBlue exploit, could let a single machine take down a Windows server, he explains. Microsoft won’t issue a patch because the flaw is deeply ingrained in the way SMB works and many components rely on its behavior.
“Microsoft’s refusal to patch is not limited to older tech,” says Dillon. “SMBLoris is an example of a modern Windows vulnerability, that can be exploited even with all versions of SMB disabled. A productive Windows network will have at least some version of SMB enabled. It is ripe for attack and extortion.”
The SMBLoris discovery put Microsoft in a tough position, says Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT)