SMB2 remote exploit released
Last week Guy posted a diary (http://isc.sans.org/diary.html?storyid=7093) about a 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems. Back then the exploit only crashed affected systems.
This is already bad enough; however, it just got worse. Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines.
If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating.
So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here:
- Run a host based firewall which will block access to ports 139 and 445. Please note that the builtin firewall in Windows Vista will automatically block this traffic if your location is set to Public. In other words, if you connect to a wireless network at Starbucks and set this you will be fine, but if you are inside your organization you are probably vulnerable, unless your administrators went one step further and used group policies to properly configure your firewall.
- Disable SMB2. This has some performance impacts, but it's nothing one can't live without until the patch is out. However, it requires modifying the registry.
We will keep an eye on the development and will update the diary as necessary.
--
Bojan
| Web App Penetration Testing and Ethical Hacking | London | Mar 2nd - Mar 7th 2026 | 
 
              
Comments
AndyW
Sep 17th 2009
1 decade ago
AndyW
Sep 17th 2009
1 decade ago