Patch Tuesday: Microsoft fix the SMB protocol

By on

The latest update from Microsoft for its monthly patch batch involves fixing an unauthenticated remote code execution vulnerability that exists in the way that Microsoft Server Message Block (SMB) Protocol software handles SMB packets.

The latest update from Microsoft for its monthly patch batch involves fixing an unauthenticated remote code execution vulnerability that exists in the way that Microsoft Server Message Block (SMB) Protocol software handles SMB packets.

It appears that an attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a network message to a computer running the Server service.

According to the bulletin, “an attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.”

The security update addresses the vulnerability by validating the fields inside the SMB packets. Microsoft recommends that customers apply the update immediately.

This security update is rated "critical" for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003, and "moderate" for all supported editions of Windows Vista, and Windows Server 2008.

Alfred Huger, VP of development at Symantec Security Response, told SCMagazineUS.com, “Such vulnerabilities are very difficult to exploit – not impossible – but difficult, given that they are at the kernel level. The kernel is finicky. Often, attempts to exploit it more often that not will lead to a blue screen, rather than successful exploitation.”

In a comment emailed to SCMagazineUS.com, Shavlik Technologies' CTO Eric Schultze said, “This vulnerability is similar to what prompted the Blaster and Sasser worms a few years ago.  We expect to see a worm released for this in the very near future.”

He added, “The only prerequisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (TCP 139 or 445). By default, most computers have these ports turned on.”

That is, even though the ports are usually blocked on internet firewalls and personal firewalls, they are typically left open in a corporate network. 

“If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly,” said Schultze.

See original article on scmagazineus.com
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?