SMB2 zero-day flaw could expose Vista PCs to Conficker-like worm attack
Posted on | September 9, 2009 | 3 comments
Microsoft has just disclosed that the SMB2 zero day vulnerability — for which no patch exists — is remotely exploitable.
The software giant is raising a bright red flag because this affects all Windows Vista and certain Windows Server 2008 PCs.
I’ve begun polling some top security researchers and analysts about the go-forward implications of advisory no. 975497 just issued by Microsoft.
The backdrop: Independent researcher Laurent Gaffie earlier this week took credit for discovering — and publicly disclosing — the flaw, an action criticized by Microsoft spokesman Christopher Budd. “This vulnerability was not responsibly disclosed to Microsoft and may put computer users at risk,” says Budd.
Gaffie claimed that a hacker could use the vulnerability to cause a Vista or Windows Server 2008 PC to crash, displaying the Blue Screen of Death.
But Microsoft’s Budd now says hackers can also remotely exploit the flaw, which means they could create a worm that searches out and takes control of any unpatched PCs connected to the Internet, much as the Conficker worm did.
So the race is on for Microsoft to design, test and issue a security patch. That could take weeks or months, raising these open-ended questions:
- How long will it take Microsoft to design, test and issue a security patch? How long after that before the patch is widely implemented in homes and workplaces?
- Given the threat landscape, what is the likelihood that cyber gangs will launch a self-spreading Internet worm designed to infect millions of Vista and Windows Server 2008 machines?
- To what extent does this vulnerability lend itself to Conficker-like exploitation?
- How effective does the Microsoft work around appear to be?
Budd says Microsoft is not currently aware of any attacks using the SMB2 to take control of PCs. Even so, the software giant is advising Vista and Windows Server 2008 users to do an emergency workaround.
Microsoft “recommends customers review and implement the workarounds outlined in the security advisory,” says Budd. “While these workarounds do not completely mitigate the threat, we’re currently investigating the issue and working to develop a security update. This update will be released once it reaches an appropriate level of quality for broad distribution.”
–By Byron Acohido
Comments
3 Comments »
RSS feed for comments on this post.
Yet another argument for responsible disclosure: if you don’t know your own exploit well-enough to know just how dangerous it might be!
Curious to see where this goes in the coming weeks. For the love of God, let there not be another worm…
Comment by David Oxley — 9/9/2009 @ 9:10 pm
Byron,
I thought that you might like to know that Windows Server 2003 is not affected by this vulnerability. It is certain versions of Windows Server 2008:
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Comment by Michael P. Kassner — 9/10/2009 @ 11:33 am
Michael:
Thanks for pointing out the incorrect reference to Windows 2003. I will make the fix.
Byron
Comment by bacohido — 9/10/2009 @ 12:22 pm