Remote exploit released for Windows Vista SMB2 worm hole

Remote exploit released for Windows Vista SMB2 worm hole

Summary: A team of security researchers have created a reliable remote exploit capable of spawning a worm through an unpatched security hole in Microsoft's Windows operating system.


Security researchers at penetration testing firm Immunity have created a reliable remote exploit capable of spawning a worm through an unpatched security hole in Microsoft's dominant Windows operating system.

A team of exploit writers led by Kostya Kortchinsky attacked the known SMB v2 vulnerability and created a remote exploit that's been fitted into Immunity's Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2, according to Immunity's Dave Aitel.

[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]

Immunity's Canvas is used by IDS (intrusion detection companies) and larger penetrating testing firms as a risk management tool.

Exploit writers at the freely available Metasploit Project are also close to finishing a reliable exploit for the vulnerability, according to Metasploit's HD Moore.

The vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said. It appears Microsoft fixed the flaw in Windows 7 build ~7130, just after RC1.  Windows Vista and Windows Server 2008 users remain at risk.

In the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.

Topics: Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Time for an out-of-cycle patch Microsoft. nt

    • Why?

      When Ye , George Ou , LiquidLearner, Sleeper Service all denied exposure and a problem;-)

      See replies to:
      Richard Flude
      • You mean like this:

        And this:

        You must have a different definition of denial than I do.
      • Did you even read what I wrote?

        I said the vulnerability needs to be patched before it is combined with a mechanism to spread. Yes it's a serious issue. If you bothered to read anything I wrote you'd see I was simply pointing out that it needs another method of [b]getting on your network[/b] before the SMBv2 exploit matters. I expected an out of band exploit to be done by now and, to be perfectly honest, am quite upset that it's not. Disabling SMB2 isn't a very good work around.

        But hey, feel free to continue to put words in my mouth.
  • This exploit doesn't count

    If the exploit was created by security researchers, it doesn't count.

    Cue the double standards...
    • It's called "Proof of concept".

      Originally classified as "Denial of Service", it is now proved to be wormable in every version of Windows currently on the market.

      But feel free not to apply the eventual(?) patch yourself, if you [i]really[/i] insist.

      [i]Cue the double standards...[/i]

      Huh? If this wormhole had been discovered in any Linux-based OS then [i]certain[/i] characters on these message boards would be wetting themselves in glee. So perhaps by "double standards" you are referring to how curiously quiet it is in here?
      • /me slips a fresh battery into Zogg's sarcasm detector ;)

        I think he was sarcastically alluding to certain ZDNet residents who tend to dismiss their alternate OS's demonstrated vulnerabilities, on the grounds that they're not actually being used in the wild for a malicious purpose, and therefore "don't count."
        • Ah - so like a Nostradamus prophesy...

          NZ makes a meaningless statement, and everyone (else) struggles to extract some 'deeper wisdom' from it.

          Naa, not really ;-)
          • You might be struggling. I had no problem...

            ...understanding it to be exactly what mechBgon stated.
          • Understand? Yes. Agree? No. (nt)

        • In this case...

          The zealot (never a non), might have a case considering the relatively low incidence of Vista machines compared to the overall pool of potential victims. That and if these systems value as victims is low then considering this as a mere "proof of concept" could be valid.

          Mind you, considering the stated downside of a successful hack I reckon Vista users would expect a patch ASAP.

          • Gee, that sounds suspiciously like a marketshare argument

            [i]might have a case considering the relatively
            low incidence of Vista machines compared to the
            overall pool of potential victims[/i]

            Want to rephrase?
          • No....

            Because I completed the thought by including commentary on value of the target/victims.

            But apparently you chose not to read that.

            Bothering to exploit a vulnerability most comes down to a cost-benefit analysis where market share is only one variable. Although sometimes it is done without regard to that, because "it might come in handy later."
        • NonZealot's fine

          He can simply boot up Mac OS X on his MBP when required to share
          Richard Flude
          • Sharing files in OS X is very unintuitive

            I tried to turn it on but nothing I tried would work so I went back to Windows where things "Just Work".
          • Odd...

            I can manage to do the sharing thing, and gosh darn it, I'm a smug and arrogant (and possibly retarded) Macophile :P
          • Of course...

            But in my smug arrogant way, I'm offering the possibility that even Mac users can out retard the Windows users, just to show we can, not that we're like that etc.

            I guess that was lost on you.
        • If a house CAN be burgled, ....

          but for some reason never is, it may be less secure, but it is safer.
    • @NonZealot

      Your right it don't count, it's only a proof of concept. So when you pull up some POC on OS X just remember this headline. Question is, will there be a real one? or is Vista just enjoying security by obscurity?

      Look at the bright side, at least ZDNet is making their sensationalist headlines balanced.
      • The difference is

        NZ was being sarcastic. To me a POC is a serious issue and this exploit is, potentially, equally serious. It really should have been patched by now unless it's something substantially more difficult to fix. I won't argue that just because this is a POC it's not important. Will you do the same next time there is a proof of concept for Linux or OS X?