It disclosed the critical, “wormable” bug earlier than it wanted.
Microsoft has released an unscheduled patch for a security bug that it accidentally disclosed during the release of its March 2020 patch several days ago. While difficult to exploit, the vulnerability is “critical” because it could allow malicious code to automatically spread from one machine to another. By releasing the fix now, Microsoft aims to avoid a chain reaction scenario that played out with the WannaCry and NotPetya viruses in 2017.
The security hole exists in Microsoft’s Server Message block (SMB) protocol on recent 32- and 64-bit versions of Windows 10 both on the client and server sides. Researchers from Microsoft and elsewhere labeled it critical because the compromise of a single machine could compromise others on the same network. Microsoft said that there’s no evidence so far that the flaw is being actively exploited, but said it’s “more likely” than not to happen in the future.
An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
Windows 10 has strong defenses that make that scenario unlikely, but motivated and skilled attackers could likely engineer successful attacks. To prevent against that, users (especially those on networks) should install the KB4551762 security update as soon as possible or follow Microsoft’s mitigation advice. Most folks should get the patch installed automatically via Windows Update.