Microsoft Combats Zero Day Flaws Found In SMB Protocol
The latest vulnerability occurs in the Microsoft Server Message Block protocol 2.0 (SMB), the Windows file sharing protocol, affecting Vista, Windows 7 and Server 2008. If exploited, the critical flaw enables hackers to crash a user's system remotely by running the proof-of-concept code published Monday, according to a SANS Institute report.
So far, experts say that the worst-case scenario would result in a denial-of-service attack targeting a specific business or organization, although there are unconfirmed reports the vulnerability might lead to remote code execution.
"[The SMB vulnerability] doesn't appear to be the biggest risk at the moment," said Andrew Storms, director of security operations for security vendor nCircle. "Right now it's only a denial of service. The word 'only' is the key point -- the seriousness really depends upon the organization."
However, Microsoft has yet to issue an advisory warning users of attacks exploiting the flaw, Storms added.
For the most part, the SMB vulnerability has little impact on the average consumer, as long as firewalls are properly functioning, experts said.
SANS researcher Guy Bruneau recommended that IT administrators turn off file-sharing protocol and ensure that firewalls filter access to port TCP 445 in order to prevent users from becoming infected while engaging in file-sharing activities. "The exploit needs no authentication, only file sharing enabled with one packet to create a BSOD," Bruneau said in a SANS blog.
Meanwhile, Microsoft is still investigating a critical, zero-day FTP vulnerability after researchers detected active attacks exploiting the flaw last week.
Microsoft said in its advisory on Thursday that it was currently investigating reports of "limited attacks" exploiting the FTP vulnerability after detailed exploit code was published last week on the Web.
Specifically, the vulnerability could allow attackers to launch malicious code to infiltrate a company's FTP server running on Microsoft Internet Information Services 5.0 or launch denial-of-service attacks on systems running the FTP Service on IIS 5.0, IIS 5.1, IS 6.0 or IIS 7.0.
"It affords (attackers) full administrative controls over that single server. They could use that as a jumping-off point to get inside an internal network," Storms said. "It's kind of like casing the joint. You sit outside and look and wait for the right time."
Storms added that the seriousness of the FTP flaw was mitigated, in part, due to the fact that the majority of FTP servers are open-source versions, and not Microsoft's FTP Service.
Microsoft first issued a security advisory last week warning users of the flaw, and will either issue a fix for the vulnerability in its regular monthly patch cycle or as an out-of-band patch.
Storms said that it is likely that Microsoft will issue a patch repairing the FTP glitch by the October Patch Tuesday release.
"[A fix is] almost certainly expected between now and next month," Storms said. "If things escalate, if they see more attacks, then you're going to see the out-of-band come."
Until a fix for the FTP flaw can be created, security experts recommend that users disable the ability for a remote user to create a folder on the FTP server within the designated permission settings, ensuring firewalls are updated and restricting access to creating directories.