Microsoft issues SMB vulnerability advisory, patch pending

By Robert Westervelt, News Editor 09 Sep 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an advisory Tuesday warning users of a critical flaw in the Server Message Block (SMB) and issued steps users can take to mitigate the threat of an attack.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The SMB is used in Windows to communicate messages to devices on the network and is used for file sharing and communicating with printers. The SANS Internet Storm Center warned that exploit code surfaced last weekend, targeting the zero-day vulnerability.

In its advisory, Microsoft said the flaw is caused by the SMB implementation not appropriately parsing SMB negotiation requests.

Microsoft security updates: September - Microsoft repairs Windows media, TCP/IP vulnerabilities: Microsoft released five critical updates fixing a serious flaw in the Windows Media Format Runtime engine and TCP/IP processing errors that could crash Web and mail servers. August - Microsoft fixes Office Web Components vulnerability, kill-bit bypass: Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers. July - Microsoft issues emergency Active Template Library updates: Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass kill-bits.

"Microsoft is currently working to develop a security update for Windows to address this vulnerability," the software giant said in its advisory. "Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution."

The flaw can be exploited by an attacker targeting users of Windows 7 and Windows Vista with SMB enabled. The exploit code, published on the Full-Disclosure mailing list and added to the Metasploit testing platform, enables an attacker to remotely crash the machine.

Christopher Budd, security response communications lead for Microsoft said Microsoft is not currently aware of any attacks using this vulnerability.

In their tests of the exploit code, Microsoft researchers found that some attempts to exploit the flaw enabled an attacker to take complete control of an affected system. However, most attempts resulted in a system restart.

Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating. As a workaround, Microsoft suggests disabling SMB2, but warns that using Registry Editor incorrectly can cause serious problems that may require a reinstall of the operating system. As an alternative, users can block TCP ports 139 and 445 at the firewall, a method which blocks all unsolicited inbound communication from the Internet. Microsoft warned that this workaround could cause applications to stop working.

SearchSecurity radio:

Microsoft said it was the second time in two weeks that a flaw was not responsibly reported to the software maker. Exploit code circulated on the Milw0rm site last week enabling attackers to exploit a FTP vulnerability in the Microsoft Internet Information Services (IIS) Web server. Microsoft is currently testing a patch but couldn't get it ready in time for its monthly Patch Tuesday updates.

Tags: Windows Security: Alerts, Updates and Best Practices,  Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Attackers target Microsoft IIS; new SMB flaw discovered Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation PCI compliance requirement 4: Encrypt transmissions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary