I use Windows 10 for business purposes, and the NSA's EternalBlue exploit has been ported to the OS. What can users...
do to prevent EternalBlue from affecting Windows 10?
In September 2017, Microsoft will release the Windows 10 Redstone 3 update, and Server Message Block version 1 (SMBv1) will be officially kicked out. EternalBlue will be prevented from exploiting a vulnerability (CVE-2017-0144), and all files in Windows 10 and Office 365 will be protected from malicious remote execution.
Many Windows users didn't install patches for previous Windows versions that are currently supported by Microsoft. They became victims of the WannaCry ransomware that made use of EternalBlue. Impacted files were shared between Windows clients and servers through the vulnerable protocol.
Researchers at RiskSense showed how EternalBlue could help an attacker launch a remote execution attack. They used its DoublePulsar backdoor payload and the NSA's Fuzzbunch platform, which is similar to Metasploit, to port the EternalBlue exploit to Windows 10 x64 version 1511, codenamed Redstone 2.
While organizations wait for Redstone 3's release, they can apply guidance found in Microsoft Security Bulletin MS17-010. SMBv1 can easily be disabled by clearing the SMB1.0/CIFS File Sharing Support checkbox in the Control Panel in Windows 8.1 or later. Organizations can use similar methods for Windows Server 2012 R2 and later.
Redstone 3 will save organizations the headache of making laborious manual changes in the thousands of Windows PCs and servers they oversee domestically or internationally.
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. All three SMB versions are available in non-Microsoft operating systems that would enable connection with Windows 10.
Microsoft doesn't recommend disabling SMBv2 or SMBv3 for Windows client and server operating systems. Disabling SMBv3 will deactivate encryption that provides protection from eavesdropping on untrustworthy networks. Organizations should proceed with caution when disabling either protocol as a temporary troubleshooting measure.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn about the similarities between EternalBlue and a Samba vulnerability
Find out more about the clash between Microsoft and the NSA over EternalBlue and WannaCry
Discover whether the WannaCry decryptor could work on other ransomware strains
Dig Deeper on Microsoft Windows security
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading