MS Patch Tuesday: 3 critical SMB vulnerabilities

MS Patch Tuesday: 3 critical SMB vulnerabilities

Summary: Microsoft today shipped a solitary bulletin with patches for at least three documented security flaws in the Microsoft Server Message Block (SMB) Protocol.The three vulnerabilities, rated "critical" on Windows 2000, Windows XP and Windows Server 2003, exposes Windows users to remote code execution attacks, Microsoft said in its MS09-001 bulletin.

SHARE:

3 critical SMB vulnerabilitiesMicrosoft today shipped a solitary bulletin with patches for at least three documented security flaws in the Microsoft Server Message Block (SMB) Protocol.

The three vulnerabilities, rated "critical" on Windows 2000, Windows XP and Windows Server 2003, exposes Windows users to remote code execution attacks, Microsoft said in its MS09-001 bulletin.  The company warns:

"An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights."

Only two of the three vulnerabilities affect Windows Vista and Windows Server 2008.

Although the exposure to risk seems severe (remote code execution), Microsoft believes it's unlikely that functioning exploit code will be created and released.  Microsoft's Mark Wodrich explains why:

  • The vulnerabilities cause a fixed value (zero) to be written to kernel memory – not data that the attacker controls.
  • Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.

Eric Schultze, CTO at patch management specialists Shavlik, still recommends that Windows users view at MS09-001 as "super critical to install right away."

This flaw enables an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer - no credentials required.  The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (tcp 139 or 445).  By default, most computers have these ports turned on.

While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network.  If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly.

According to Roel Schouwenberg, a senior anti-virus researcher at Kaspersky Lab (my employer) the risk of a network worm attack is minimal.  "It's unlikely we'll see a worm," he said.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Hard to find decent help these days

    [i]Microsoft today shipped a solitary bulletin with patches for at least three documented security flaws in the Microsoft Server Message Block (SMB) Protocol.[/i]

    Except it's not in the protocol but in Microsoft's code that implements the protocol. SAMBA, for instance, has no such issues.
    Yagotta B. Kidding
  • "Firewall best practices"

    NetBIOS has been a security risk since the beginning. And still, there isn't any "safe" way to completely disable it. After all this time they still recommend "firewall best practices" instead of providing a patch that prevents opening NetBIOS ports if they are not needed on a system. Firewalls can block connections to those ports from untrusted zones and untrusted applications but most of them don't block a trusted application from delivering an exploit (an IMG SRC from localhost:139/path/file.jpg is not blocked because localhost is trusted by default in most firewalls, and a browser is also trusted).
    Uninstalling NetBIOS and File and Printer sharing services only disallows local users from accessing shared objects, but the local ports 137, 138, 139 are still opened by netbt.sys. The only way to prevent opening those ports is to patch netbt.sys. But a patch like this would be illegal unless they provide it themselves (i'm not a lawyer, license agreement terms may have different meanings for different situations so i could be wrong).
    Vektor_
    • Disabling ports 137-139 is dirt simple:

      1. Open the properties for the network adapter for which you want to disable the ports.

      2. Double click the "Internet Protocol (TCP/IP)" item.

      3. Click the "Advanced" button from the "General" tab.

      4. Select the "WINS" tab.

      5. Click "Disable NetBIOS over TCP/IP".

      6. Close all the dialogs.

      Ports 137-139 are now closed. Though this doesn't address the problem as port 445 remains accessible. If you want to disable all sharing then uncheck the "File and Printer Sharing for Microsoft Networks" from the properties dialog mentioned in step one.
      ye
      • Re: Disabling ports 137-139

        I thought i had all NetBIOS related services disabled. I tested this with original netbt.sys and it works. I didn't know about this one. Thanks.
        Vektor_
      • Port 445

        For port 445 there is a registry fix (that is not needed if file and printer sharing are uninstalled),

        REGEDIT4
        [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters]
        "TransportBindName"=""
        Vektor_
  • Some things are rock-steady!!

    Nice to see that Microsoft retains its prowess even in these troubled economic times!! ;)
    Techboy_z
  • RE: MS Patch Tuesday: 3 critical SMB vulnerabilities

    Great! !! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut