Microsoft Windows SMB2 Vulnerability
Independent security researchers announced a new vulnerability in Microsoft Windows Vista and Windows Server 2008 on the day of the September Microsoft security bulletin announcement. Although first publicized as a denial of service vulnerability, a security advisory from Microsoft later confirmed that attackers could leverage the vulnerability to execute arbitrary code. Although exploit code in some private vulnerability testing tools has been reported, no public examples of exploit code exist.
The vulnerability relates to flaws in the Windows Server Message Block 2 (SMB2) networking component included in Windows Vista and Windows 2008. Although SMB2 is also included in Windows 7 and Windows 2008 R2, changes in the component has rendered these systems unaffected. No current updates are available that correct the vulnerability on affected platforms.
Although serious, this new vulnerability from Microsoft may be less dangerous than web-based exploits. Attacks against file-sharing services are well understood, and sites typically block common ports used with Windows file-sharing services at both perimeter and host-based firewalls. In addition, the vulnerability only affects limited platforms, and those platforms are likely to block access to affected ports in default configurations. Windows Vista systems with network profiles set to “Public” will block access to file-sharing points, limiting exposure to mobile systems in untrusted environments. Windows Server 2008 systems may be at the greatest risk if used as file servers for shares that are widely accessible. On affected systems that don’t rely upon SMB2, administrators can disable the SMB2 component, eliminating any effective exploit vector. Microsoft has released security advisory 975497 to address this vulnerability. Cisco IntelliShield has released a security alert detailing the Windows SMB2 vulnerability, and Cisco IPS has released signature 20961/0. The vulnerability is also discussed in the weekly Cyber Risk Report for the week of September 14-20, 2009. Cisco will continue to monitor the vulnerability.