Microsoft releases emergency patch for ‘leaked’ Windows 10 security bug

Microsoft has released a Windows patch for a security vulnerability that was prematurely disclosed earlier this week.

Details of the “critical”-rated bug were released on Tuesday as part of the software giant’s typical monthly release of security patches, what it calls Patch Tuesday. The bug exists in the latest version of Windows’ server message block, known as SMB, which lets Windows communicate with devices, like printers and file servers, on the network and across the internet.

A successful exploit of the SMB bug could allow an attacker to remotely run malicious code on any vulnerable computer.

Jamie Hankins, head of security and threat intelligence research at Kryptos Logic, said some 48,000 internet-connected unpatched servers are vulnerable to exploitation. But the figure is likely to be far greater, as it doesn’t take into account all of the other vulnerable computers connected to those unpatched servers.

News of the bug prompted fears that attackers could launch “wormable” attacks that spread rapidly across networks, like the WannaCry attack in 2017.

Now two days later, Microsoft has patches to fix the vulnerability for Windows 10 and Windows Server 2019, versions 1903 and 1909.

Earlier versions of Windows — including Windows 7, which Microsoft recently stopped providing patches for — are not affected by the vulnerability.

It’s not clear exactly what led to the inadvertent disclosure. Researchers at security firms Fortinet and Cisco released blog posts describing the vulnerability, but later removed references to the bug.

The patches are available through the typical update mechanisms, including Windows Update.