Windows SMB2 exploit now public; Expect in-the-wild attacks soon

Windows SMB2 exploit now public; Expect in-the-wild attacks soon

Summary: Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool


Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool, raising the likelihood for remote in-the-wild code execution attacks.

The exploit, created and released by Harmony Security's Stephen Fewer, provides a clear roadmap for hackers to plant malware or open backdoors on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server.

[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]

The release of the public exploit puts Microsoft under serious pressure to complete its patch-testing process and release a fix to head off in-the-wild attacks.

According to Microsoft's Johnathan Ness, the company's security response team has already completed more than 10,000 separate test cases in their regression testing and are currently doing "stress testing, 3rd-party application testing, and fuzzing."

Microsoft's next scheduled Patch Day is more than two weeks away -- on October 13, 2009 -- which means the company is now under pressure to issue an emergency, out-of-cycle fix for vulnerable Windows users.

The flaw, which was originally released on September 8 as a simple denial-of-service issue, does not affect the RTM version of Windows 7

[ SEE: Remote exploit released for Windows Vista SMB2 worm hole ]

On September 17, a team of exploit writers from Immunity created a remote exploit that’s been fitted into Immunity’s Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2.

Until Microsoft issues a patch, vulnerable Windows users should immediately implement the one-click "fix-it" workaround that's available.  The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.

Here are direct links:

To revert the workaround, and re-enable SMBv2, you can: Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.

Topics: Windows, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Another "researcher" makes a name for himself.

    So, just why was it necessary for for this Bozo to actually "create and release the code" for the exploit? Let me guess. His company makes money by hyping up the level of fear. See their web page where they say their business is "research and consultancy" - meaning that they profit by releasing the exploit code so that people will hire them to fix it. Sounds a little like blackmail to me.

    Of course this is one of those stories that is going to devolve into a Linux Vs Windows Vs Mac flame war within the next ten seconds or so; so within that time everyone will forget the original issue and the irresponsible behavior of these "security" companies.
    • Technically, it was a team of Bozos

      I think the question of whether to release code or not comes down to one simple question. Would the release of the code accelerate or assist in any way the proper resolution of this security bug? In this case, given that the source of the vulnerable software is closed and that the proprietary company in charge of fixing the vulnerability has the resources it needs to patch the code but now is only delayed due to the lengthy test process mandated by the nature of this software, it's pretty obvious that the answer to that question is an unqualified no.

      The only thing that can accelerate the patching process in this case is for more people to volunteer to test the beta patches, though I am not sure if MS is taking volunteers.
      Michael Kelly
      • You two are funny.

        You are asking a chicken/egg question.


        An exploit is an exploit, just because someone releases code to a specific site doesnt mean the code didnt exist wayyy prior to the initial public discovery process. The important word here... PRIOR. Yes 0 DAY flaws. Hackers/crackers and script kiddies love 0 dayz.

        Just like the drug trade, you know its probably going on, you dont see it right away, but when it happens and the police go after them, you still have the people the drugs were already distributed to. In this case.. a 0 day.
      • I agree.

        If Microsoft plans on staying relevant over the next 10-20 years, they seriously need to consider opensourcing.
        Here is an explanation from a man who is much more qualified to discuss this than I am, quoted directly from Bill Vass' blog:
        [i]Imagine you enter the security line at the airport and there is a proprietary vendor in front of you with his locked suitcase telling the TSA official not to worry, and to trust him, stating he has checked everything in his suitcase and it is safe. How would this make you feel? Pretty vulnerable...right? Wouldn't it be better if the person in front of you is a true open source advocate and welcomes the TSA official to check anything he wants...because he has nothing to hide?

        Who are you going to feel safe about getting on the plane with? It's a why would you trust a vendor to put stuff on your server with life critical or mission critical systems, where no one can see what is on the server except for that one company, or that one group of people. I have sometimes heard some proprietary vendors say about open source code "but everyone can see how the security works." They are making the point for me! That is why open source code has to be made stronger on open source than on proprietary software products.[/i]
    • *sighs*

      As you should know, given how you've already mentioned Mac's, Apple operates on a "security through obscurity" mindset. With a lot of big companies, independent release of the code forces them to take steps to mitigate the exploit. These vulnerabilites existed long before we hear about them, chances are there's code on the net somewhere talking about it. Only difference is now everyone knows about the flaw.

      So no, this isn't irresponsible. Yes, they could have waited a little longer, but they forced the issue so now there's a quick fix for anyone not using SMBv2. Which happens to be most of the consumer world. Anyone not a business anyways. Unlikely that would have came out if this was still hacker only knowledge.
  • RE: Windows SMB2 exploit now public; Expect in-the-wild attacks soon

    Just do the work around and your all set. Not a big deal. I don't understand why you had to repeat "unpatched" so many times. You made it clear the first time, Microsoft already has a patch in the works and are testing it. It is not as big of a problem as you want it to be.
    Loverock Davidson
    • Never thought this would happen...

      But I agree with you Loverock :-). Bugs happen, and yes sometimes they're security ones. They get patched, and things move on.

  • Message has been deleted.

  • RE: Windows SMB2 exploit now public; Expect in-the-wild attacks soon

    I have read many reports of vulnerability holes being open for 1 year or more on MS platforms prior to them releasing a security patch, I agree with any method that is used to accelerate the development of a true fix for a known issue. The action of releasing a exploit tool is negative at this point in time, but it should force MS to devote additional resources to build the patch and properly protect their customers from their mistake.

    Now for the part that you wanted to come, if the SMB components were opensource this issue could have been found and correct a long time ago rather than leaving the customers open since the implementation of the affected platforms.
    • Rushing is not a good idea sometimes.

      OSes are complexe software and it's normal that they spend a good amount of time doing tests(Regressive, Unit, etc..) beore releasing a patch or we might see the patch giving us other problem or vulnerabilities.

      And even with all that testing, there a chance that a new vulnerability or wierd effect appends because of the complexe nature of the OS.

      This applies on Macs and Linux also.
  • And this will get around my firewall and antivirus how

    And this will get around my firewall and antivirus how?? Maybe im wrong here but i would think one of the first people to download the exploit is the antivirus,firewall companys so they can block the malware/exploit. Am i wrong here??
    • Re: And this will get around my firewall and antivirus how

      You can view the description from SANS @RISK (

      It is possible for the firewall companies to issue an advisory to update the block list to include the structure of the malformed packets but it may also increase false positives and negatively effect your network resources. This is a network based attack and per my understanding it cannot be detected by a traditional antivirus program, since they search files on the system not packets coming through the network adapter.
    • If you have a hardware firewall

      you should have the relevant ports blocked already, but you should probably check to be sure. But that does not prevent an internal attack. A software firewall would prevent all SMB2 communications, but then again if you want that why not just disable SMB2 entirely?
      Michael Kelly
      • Hardware firewal and NATs

        well if your behind a NAT router, you should be safe from this... unless you have a DMZ.

        and you could block revelent ports on a software level until the patch arrives.
      • Firewalls should be able to filter smb2 traffic

        I don't want smb2 disabled. I want to transfer files from my media server to where I want to view/hear my media.

        I can set my software firewalls to block smb2 traffic from anywhere but computers/ip addresses on a whitelist in its settings. Most decent firewalls should have this capability. Even GNU/Linux (Firestarter) can do that. If FOSS can do it, anybody else providing firewall protection should be able to do it as well. If you can't, upgrade your soft firewalls on your LAN computers.

        Blocking NetBIOS/smb2 (ports 138 and 139) at the hardware level firewall in your router will prevent WAN access.

        My only vulnerable machine (Vista SP2) is my laptop that purposely dual boots Linux. Only time I could have a problem is away from home. But then I suggest you should always disable/block NetBIOS/smb2 on public LANs anyway.
    • You're kidding, right?

      Yes the firewall companies _should_ block attacks once they know the vector, where the attack's coming from BUT. Your antivirus won't do anything. It stops viruses, not exploits. And in this case, b/c of how the exploit is, shutting down SMBv2 is really the only protection that you can get. You can't block an attack if you don't know the difference between that and a normal, everyday activity.

      tl:dr, tms:du

      Antivirus does jack all. Firewall generally won't stop exploits b/c it can't tell the difference between exploit and normal activity.

      But in all cases other than exploits like these, releasing the virus code or attack path to the internet means that there'll be virus definitions, patches, updates, etc within hours in most cases.
  • This is only a problem for...

    Users who aren't security conscious in the first place. To me, and probably Microsoft as well, this problem is a low priority. Anybody getting attacked on this vector is most probably already compromised. This vector is just another way to control existing botnets.

    We should require individual licensing before allowing people onto the information super highway. Too many internet users, no matter their current citizenship, are like sheep blocking the road in a third world country. They're accidents waiting to happen. They're accidents waiting to happen. Licensing could at least hold them accountable for facilitating DDOS attacks and other mischief.
    • NAC for the whole Internet? That'll be the day

      The thing that makes the Internet great is that it is a completely open highway allowing varied uses and infinite possibilities - the problem is that this open highway model is also its greatest weakness.

      If there were a way to disallow endpoints from communicating on the Internet unless they met some basic level of security patching it would mitigate all of these types of problems. This could be accomplished through some sort of large scale Network Admission Control type solution. In a pie-in-the-sky world this would be the answer. The reality though is that it would be an ideal way for nefarious regimes to enforce censorship or to limit free speech.

      This is quite a conundrum...
      • We can dream, can't we? (nt)

  • That didn't take long!


    BTW, are those Dell laptops I see for over $1600 advertised
    on ZDNet?

    And I thought APPLE was expensive!!!