Microsoft Accidentally Revealed A Nasty Wormable Windows Exploit On Patch Tuesday

Windows Worm
This month's Patch Tuesday collection of security updates came with an added surprise—a disclosure of a "wormable" vulnerability affecting the Server Message Block 3.1.1 (SMBv3) network communication protocol. What made this unusual is that the fix was not included in the Patch Tuesday package, so the vulnerability should not have been disclosed.

That's a big 'oops' moment by Microsoft. Though it was not initially published to the public, several security partners that are part of the Microsoft Active Protections Program were alerted to the bug and posted details on the security flaw, labeled as CVE-2020-0796. One of them has since removed its posting after finding out it was not fixed.

"This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application," security outfit FortiGuard Labs explained in a blog post.

The vulnerability affects Windows 10 versions 1903 and 1909, as well as Windows Server versions 1903 and 1909. If leveraged, a remote attacker could gain control of an vulnerable system, which is obviously not a good thing.

Microsoft labels the vulnerability as Critical. As of right now, there is no patch available. In lieu of one, the two workarounds are to disable SMBv3 compression and block TCP port 445.

"TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks," Microsoft says.

If even blocking TCP port 445, however, Microsoft warns systems could still be vulnerable to attacks from within their enterprise perimeter.

How did this inadvertent disclosure happen? That part is not clear, though it is being speculated that Microsoft may have initially planned to patch the security flaw and therefore included details about it in the Common Vulnerability Reporting Framework (CVRF), then removed the patch at the last minute for whatever reason.