Microsoft has pared back its engineering teams -- they were affected by the 2014 layoffs -- and has discontinued some long-time security practices, including the advance warnings of upcoming Patch Tuesday slates and a monthly post-patch webcast.
Another unknown is whether someone will expand on the existing PoC and come up with code that can, as Microsoft believes possible, conduct a remote exploit that would rely simply on sending a malformed HTTP request.
Ullrich thought that unlikely. "The chance for a RCE [remote code executable exploit] is low," Ullrich said. "There is a chance of an information leakage issue if the server offers files. This information leakage has not been demonstrated yet, but the Chinese summary published yesterday offers some pointers. It would leak kernel memory that may then be used for RCE."
Meanwhile, Wisniewski thought different: "I suspect remote code might become visible quite soon. That's why the fear of this is why amped up. We're scared that the code out is there and we can't pinpoint who is at risk."
Sign up for Computerworld eNewsletters.