Microsoft releases Adobe Flash Player fix, but doesn’t patch 2 zero-day exploits

Microsoft released MS17-005 to patch critical flaws in Adobe Flash Player, but that’s it. Microsoft didn’t release the fix for the two zero-day exploits disclosed this month.

After the company said patches would be delayed in February, it clarified that security updates would instead be released on Patch Tuesday in March. Yet InfoWorld’s Woody Leonhard reported that Microsoft emailed its largest customers on Monday with a heads-up about the Flash patches for Internet Explorer and Edge.

Don’t expect Microsoft to release any out-of-band patches for the Windows exploit code that’s in the wild, since the email from Microsoft told its big, important customers, “No other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017.”

2 flaws leave Windows users vulnerable

Windows users are left vulnerable to two different sets of publicly released exploit code.

On February 2, US-CERT released an advisory about a Windows SMB bug. The vulnerability note stated, “Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.”

The bug was discovered by security researcher Laurent Gaffié, aka PythonResponder. Microsoft allegedly had a patch ready to go three months ago, but it kept pushing the fix back.

Gaffié told The Register he “submitted the bug to Microsoft on Sept. 25, 2016, and that Microsoft had a patch ready for its December patch cycle. The company pushed the fix back to February, he explained, because it made more sense to them to released several SMB fixes at once rather than a single one in December.”

Since Microsoft has previously “sat on vulnerabilities that he’s reported,” Gaffié decided to release proof-of-concept exploit code at the beginning of February. Then Microsoft canceled Patch Tuesday for first time ever.

By releasing only a fix for Adobe Flash Player, Microsoft also chose to leave customers vulnerable to the Windows graphic library flaw that was disclosed by Google’s Project Zero team member Mateusz Jurczyk.

He first notified Microsoft last year, and the company attempted to resolve the issues with MS16-074, which was released in June 2016. However, Jurczyk discovered Microsoft did not patch all the flaws in the GDI library. An attacker could still steal information from memory, so he notified Microsoft again in November 2016.

He wrote, “It is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.” The pixels “may include sensitive information, such as private user data or information about the virtual address space.”

Jurczyk “confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.”

Per Project Zero’s disclosure policy, 90 days passed and Microsoft failed to patch, so the details of the vulnerability were publicly disclosed.

Microsoft has not given any in-depth explanation for what problems caused the February Patch Tuesday delay.