Microsoft explains the seven-year delay in issuing a patch
"Why has it taken Microsoft until now to patch Windows' vulnerability to SMB replay/reflection attacks, even though the problem was known in 2001?" This was the question repeatedly put to the Redmond software giant last patch day. These attacks involve the operator of a malicious SMB server gaining access to and running applications on a PC attempting to login by sending the NTLM login credentials back to the PC.
Christopher Budd from the Security Team has responded to the question in the Microsoft Security Response Center (MSRC) blog. He says that any patch implemented at that time would have had an extremely negative impact on network-based applications. Many applications would have simply stopped working and others - Outlook 2000 and Exchange Server 2000, for example - would have been unable to communicate with each other. Although Microsoft advised customers concerned about this issue to use SMB signing as an effective mitigation, this was not always straightforward.
Since then, Microsoft has continued to work on the problem, gradually introducing incremental changes in more recent Windows versions such as XP SP2 and Vista in an attempt to limit the scale of the problem. However, says Budd, over the years the developers have gained enough experience to finally produce a security update that would not have a negative impact on customers' applications. The patch – MS08-068 – released last Tuesday is designed to do just that – so far, with success.
- MS08-068 and SMBRelay, Blog by Christopher Budd