On TechRepublic: 10 cool USB flash drive tricks
BNET Business Network:
BNET
TechRepublic
ZDNet

September 18th, 2009

Microsoft ships one-click 'workaround' for critical SMB2 flaw

Posted by Ryan Naraine @ 1:56 pm

Categories: Arbitrary Code Execution, Botnets, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Malware, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Ryan Naraine

With exploit code in circulation and facing a race against time to fix the SMB v2 vulnerability haunting Windows Vista and Windows Server 2008, Microsoft today shipped a one-click “fix-it” workaround to help users avoid malicious hacker attacks.

The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.

[ SEE: Remote exploit released for Windows Vista SMB2 worm hole ]

Microsoft cautioned that disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.

The company also confirmed that the exploit code released into Immunity’s Canvas pen-testing platform works as advertised:

We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user.

The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).

This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).

If reliable exploit code is released to the general public — a strong likelihood –it’s only a matter of time before malicious hacker attacks surface in the wild.  In the meantime, it’s incumbent on Microsoft to ship an out-of-band patch as soon as possible.

[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]

Microsoft’s Jonathan Ness hinted that an emergency patch may be forthcoming but it depends entirely on how soon the patch can pass quality assurance testing:

[We're] not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update.  For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing.  They are now in stress testing, 3rd-party application testing, and fuzzing.  We’d sure like to complete all that testing before the update needs to be released.  We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.

In the absence of a patch, here’s what you can do:

To revert the workaround, and re-enable SMBv2, you can:

Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 58 Talkback(s)
Sheese, turn your sarcasm indicator on..
that was all I was doing here! I merely indicated that they all push hard to get an edge on the market and the lawyers make way more money than they deserve in the process!

And it is damn borin... (Read the rest)
Posted by: JCitizen Posted on: 10/04/09 You are currently: a Guest | | Terms of Use
Maybe I'm not finding it...  Joe_Raby | 09/18/09
Yes, 64-bit Vista & 2008 are affected  AZ_net_engineer | 09/18/09
Gotta give credit to MS  ejhonda | 09/18/09
My consultancy employer is bringing their Linux servers on line tomorrow.  No More Microsoft Software Ever! | 09/20/09
Glad you hate M$, but...  bendib | 09/21/09
No room for hate here. Also no room for mediocore software.  No More Microsoft Software Ever! | 09/22/09
So what you're really saying is...  ShadowGIATL | 09/22/09
RE: Microsoft ships one-click 'workaround' for critical SMB2 flaw  gertruded | 09/19/09
It's terrible...  Sleeper Service | 09/19/09
Stupidity Overwhelming  Ceridan | 09/20/09
re:Overwhelming Stupidity  n0neXn0ne | 09/20/09
Awesome!  Sleeper Service | 09/21/09
Amazing! You went into default DEFEND mode. This post didn't attack MS (NT)  No More Microsoft Software Ever! | 09/21/09
Really?  Sleeper Service | 09/22/09
Sleeper...defender of the Microsoft universe!  No More Microsoft Software Ever! | 09/22/09
LOL! Did you even read the article you linked?  ye | 09/21/09
Does an MRI machine need to share files?  pgit | 09/21/09
It needs to act as a server?  ye | 09/22/09
Another Amazing RUSH to defend Microsoft! He was NOT attacking them!  No More Microsoft Software Ever! | 09/21/09
RE: Stupidity Overwhelming  bendib | 09/20/09
Interesting  ShadowGIATL | 09/20/09
The point is...  Zogg | 09/21/09
Maybe  CrashPad | 09/21/09
RE: Maybe  bendib | 09/21/09
You took the words right out of my mouth!  bendib | 09/21/09
Oh yea... you got me there...  ShadowGIATL | 09/21/09
You didn't understand my point at all!  Zogg | 09/22/09
@Zogg  ShadowGIATL | 09/22/09
Please, Microsoft has MORE folks devoted to worshipping them than Apple!  No More Microsoft Software Ever! | 09/21/09
Odd...  ShadowGIATL | 09/21/09
Microsoft IT techs...  JCitizen | 09/21/09
It's getting deep! Where's my hip-waders...  Dr.Who | 09/21/09
if you care to note  CrashPad | 09/21/09
Lab exploit potential is a far cry from real world 'your OS don't work'  No More Microsoft Software Ever! | 09/21/09
Simply not true.  ShadowGIATL | 09/21/09
Nope. Not one. Name it and post proof of it in the wild.  No More Microsoft Software Ever! | 09/22/09
This argument is tired.  ShadowGIATL | 09/22/09
You're surprised? (re: Lester Young)  Macintoshtoffy | 09/19/09
This is why the server service should be disabled  s_southern | 09/21/09
I should add...  s_southern | 09/21/09
The firewall essentially achieves the same result.  ye | 09/21/09
Kinda defeats the purpose of a server.  Dr.Who | 09/21/09
I'll vote for that...  JCitizen | 09/21/09
RE: Microsoft ships one-click 'workaround' for critical SMB2 flaw  Dr.Who | 09/21/09
I think you forgot the point...KNOW YOUR OS. Don't wait for the Provider!  No More Microsoft Software Ever! | 09/21/09
Why sure...  ShadowGIATL | 09/21/09
Can you really "know" a closed-source OS?  mrgoose | 09/23/09
Where's (Non)Zealot?  RealNonZealot | 09/21/09
LOL!!! (No_Ax_to_Grind:, Non_Zelot, and others!) LOL!!  No More Microsoft Software Ever! | 09/21/09
RE: Microsoft ships one-click 'workaround' for critical SMB2 flaw  blacksheepxlch | 09/21/09
That's Ok, they'll become CIO someday,,  JCitizen | 09/21/09
LOL-Using a Microsoft OS no doubt. They don't REALLY want to know anything!  No More Microsoft Software Ever! | 09/22/09
Not that it changes either statement...  JCitizen | 09/26/09
M$ is innocent!  mrgoose | 09/24/09
Yeah and a yaaahereegwe!! Oh!...  JCitizen | 09/26/09
reply to Yeah and a yaaahereegwe!! Oh!...  ebrown@... | 09/29/09
Sheese, turn your sarcasm indicator on..  JCitizen | 10/04/09
Why?  The 'G-Man.' | 09/22/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here