Microsoft issued an advisory Tuesday warning users of a critical flaw in the Server Message Block (SMB) and issued steps users can take to mitigate the threat of an attack.
The SMB is used in Windows to communicate messages to devices on the network and is used for file sharing and communicating with printers. The SANS Internet Storm Center warned that exploit code surfaced last weekend, targeting the zero-day vulnerability.
In its advisory, Microsoft said the flaw is caused by the SMB implementation not appropriately parsing SMB negotiation requests.
Microsoft security updates:
August - Microsoft fixes Office Web Components vulnerability, kill-bit bypass: Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.
July - Microsoft issues emergency Active Template Library updates: Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass kill-bits.
"Microsoft is currently working to develop a security update for Windows to address this vulnerability," the software giant said in its advisory. "Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution."
The flaw can be exploited by an attacker targeting users of Windows 7 and Windows Vista with SMB enabled. The exploit code, published on the Full-Disclosure mailing list and added to the Metasploit testing platform, enables an attacker to remotely crash the machine.
Christopher Budd, security response communications lead for Microsoft said Microsoft is not currently aware of any attacks using this vulnerability.
In their tests of the exploit code, Microsoft researchers found that some attempts to exploit the flaw enabled an attacker to take complete control of an affected system. However, most attempts resulted in a system restart.
Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating. As a workaround, Microsoft suggests disabling SMB2, but warns that using Registry Editor incorrectly can cause serious problems that may require a reinstall of the operating system. As an alternative, users can block TCP ports 139 and 445 at the firewall, a method which blocks all unsolicited inbound communication from the Internet. Microsoft warned that this workaround could cause applications to stop working.
Microsoft said it was the second time in two weeks that a flaw was not responsibly reported to the software maker. Exploit code circulated on the Milw0rm site last week enabling attackers to exploit a FTP vulnerability in the Microsoft Internet Information Services (IIS) Web server. Microsoft is currently testing a patch but couldn't get it ready in time for its monthly Patch Tuesday updates.