/>
X
Tech
Home Tech Services & Software Operating Systems Windows

Windows SMB2 exploit now public; Expect in-the-wild attacks soon

Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool
Written by Ryan Naraine, Contributor on

metasploit.png

Fully functional exploit code for the (still unpatched) Windows SMB v2 vulnerability has been released to the public domain via the freely available Metasploit point-and-click attack tool, raising the likelihood for remote in-the-wild code execution attacks.

The exploit, created and released by Harmony Security's Stephen Fewer, provides a clear roadmap for hackers to plant malware or open backdoors on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server.

[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]

followmeontwitter.png
The release of the public exploit puts Microsoft under serious pressure to complete its patch-testing process and release a fix to head off in-the-wild attacks.

According to Microsoft's Johnathan Ness, the company's security response team has already completed more than 10,000 separate test cases in their regression testing and are currently doing "stress testing, 3rd-party application testing, and fuzzing."

Microsoft's next scheduled Patch Day is more than two weeks away -- on October 13, 2009 -- which means the company is now under pressure to issue an emergency, out-of-cycle fix for vulnerable Windows users.

The flaw, which was originally released on September 8 as a simple denial-of-service issue, does not affect the RTM version of Windows 7

[ SEE: Remote exploit released for Windows Vista SMB2 worm hole ]

On September 17, a team of exploit writers from Immunity created a remote exploit that’s been fitted into Immunity’s Canvas pen-testing platform. The exploit hits all versions of Windows Vista and Windows Server 2008 SP2.

Until Microsoft issues a patch, vulnerable Windows users should immediately implement the one-click "fix-it" workaround that's available.  The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.

Here are direct links:

To revert the workaround, and re-enable SMBv2, you can:

Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.

Editorial standards
Show Comments

Related

chat bot

What is ChatGPT and why does it matter? Here's what you need to know

A robot texting on a smartphone in space

How to use ChatGPT: What you need to know

How to use the new Bing

How to use the new Bing (and how it's different from ChatGPT)