News Stay informed about the latest enterprise technology news and product updates.

Microsoft issues SMB vulnerability advisory, patch pending

With attack code widely available, companies could take steps to mitigate the threat. Windows 7 and Vista users are at risk.

Microsoft issued an advisory Tuesday warning users of a critical flaw in the Server Message Block (SMB) and issued steps users can take to mitigate the threat of an attack.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

The SMB is used in Windows to communicate messages to devices on the network and is used for file sharing and communicating with printers. The SANS Internet Storm Center warned that exploit code surfaced last weekend, targeting the zero-day vulnerability.

In its advisory, Microsoft said the flaw is caused by the SMB implementation not appropriately parsing SMB negotiation requests

Microsoft security updates:

September - Microsoft repairs Windows media, TCP/IP vulnerabilities: Microsoft released five critical updates fixing a serious flaw in the Windows Media Format Runtime engine and TCP/IP processing errors that could crash Web and mail servers.

August - Microsoft fixes Office Web Components vulnerability, kill-bit bypass: Microsoft repaired critical vulnerabilities in Microsoft Office Web Components affecting Office Word, Excel and PowerPoint viewer as well as its ISA and BizTalk servers.

July - Microsoft issues emergency Active Template Library updates: Security updates address flaws the Active Template Library affecting Internet Explorer and Visual Studio. An IE fix also blocks a method that allows attackers to bypass kill-bits.

"Microsoft is currently working to develop a security update for Windows to address this vulnerability," the software giant said in its advisory. "Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution."

The flaw can be exploited by an attacker targeting users of Windows 7 and Windows Vista with SMB enabled. The exploit code, published on the Full-Disclosure mailing list and added to the Metasploit testing platform, enables an attacker to remotely crash the machine.

Christopher Budd, security response communications lead for Microsoft said Microsoft is not currently aware of any attacks using this vulnerability.

In their tests of the exploit code, Microsoft researchers found that some attempts to exploit the flaw enabled an attacker to take complete control of an affected system. However, most attempts resulted in a system restart.

Danish vulnerability clearinghouse Secunia gave the flaw a moderately critical rating. As a workaround, Microsoft suggests disabling SMB2, but warns that using Registry Editor incorrectly can cause serious problems that may require a reinstall of the operating system. As an alternative, users can block TCP ports 139 and 445 at the firewall, a method which blocks all unsolicited inbound communication from the Internet. Microsoft warned that this workaround could cause applications to stop working. 

Microsoft said it was the second time in two weeks that a flaw was not responsibly reported to the software maker. Exploit code circulated on the Milw0rm site last week enabling attackers to exploit a FTP vulnerability in the Microsoft Internet Information Services (IIS) Web server. Microsoft is currently testing a patch but couldn't get it ready in time for its monthly Patch Tuesday updates.

Dig Deeper on Microsoft Windows security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Yeah, this could be a big issue. My question is this. I can't help wonder, why people don't report these flaws when they find them in the wild to the vendors so they can actually patch them. I know not everyone out there is a malicious cracker jack black hat hacker.