MS Patch Tuesday: 3 critical SMB vulnerabilities

3 critical SMB vulnerabilitiesMicrosoft today shipped a solitary bulletin with patches for at least three documented security flaws in the Microsoft Server Message Block (SMB) Protocol.

The three vulnerabilities, rated “critical” on Windows 2000, Windows XP and Windows Server 2003, exposes Windows users to remote code execution attacks, Microsoft said in its MS09-001 bulletin. The company warns:

“An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.”

Only two of the three vulnerabilities affect Windows Vista and Windows Server 2008.

Although the exposure to risk seems severe (remote code execution), Microsoft believes it’s unlikely that functioning exploit code will be created and released. Microsoft’s Mark Wodrich explains why:

  • The vulnerabilities cause a fixed value (zero) to be written to kernel memory – not data that the attacker controls.
  • Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.

Eric Schultze, CTO at patch management specialists Shavlik, still recommends that Windows users view at MS09-001 as “super critical to install right away.”

This flaw enables an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer - no credentials required. The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (tcp 139 or 445). By default, most computers have these ports turned on.

While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly.

According to Roel Schouwenberg, a senior anti-virus researcher at Kaspersky Lab (my employer) the risk of a network worm attack is minimal. “It’s unlikely we’ll see a worm,” he said.

[Source: zdnet]