Windows SMB2 exploit now public; Expect in-the-wild attacks soon

Summary:Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool

Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool, raising the likelihood for remote in-the-wild code execution attacks.

The exploit, created and released by Harmony Security's Stephen Fewer, provides a clear roadmap for hackers to plant malware or open backdoors on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server.

[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]

The release of the public exploit puts Microsoft under serious pressure to complete its patch-testing process and release a fix to head off in-the-wild attacks.

According to Microsoft's Johnathan Ness, the company's security response team has already completed more than 10,000 separate test cases in their regression testing and are currently doing "stress testing, 3rd-party application testing, and fuzzing."

Microsoft's next scheduled Patch Day is more than two weeks away -- on October 13, 2009 -- which means the company is now under pressure to issue an emergency, out-of-cycle fix for vulnerable Windows users.

The flaw, which was originally released on September 8 as a simple denial-of-service issue, does not affect the RTM version of Windows 7

[ SEE: Remote exploit released for Windows Vista SMB2 worm hole ]

On September 17, a team of exploit writers from Immunity created a remote exploit that’s been fitted into Immunity’s Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2.

Until Microsoft issues a patch, vulnerable Windows users should immediately implement the one-click "fix-it" workaround that's available.  The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.

Here are direct links:

To revert the workaround, and re-enable SMBv2, you can: Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.

Topics: Windows, Microsoft, Operating Systems, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.