by Tech Writer, Heptacube Inc.

2009-11-16 14:59:08


Microsoft has confirmed last week's announcement of a vulnerability in the Server Message Block protocol affecting machines running Windows 7 or Windows Server 2008 R2.

Exploit & Code

Original "Executive summary" of Microsoft's advisory:

"Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Malicious users should not be able to exploit this vulnerability in ways other than to perpetrate a denial of service (DoS) attack, but this is already serious enough for asking for a patch as fast as possible. Microsoft has not said anything yet about an upcoming patch, although December 8th, next "Patch Tuesday", would be an appropriate date for one.

In the meantime, the only advice to users is to block incoming connections from ports 139 and 445. Those ports are used by the SMB protocol for file- and printer-sharing in a network. Windows 2000 was the first installment to use port 445, previous versions mainly using port 139. Actually, port 139 is now only used for communicating with systems using pre-2000 versions of Windows, so closing it has nearly no consequence. But blocking port 445 would become more problematic as it is required by SMB when sharing with a computer running Windows 2000/ME/XP.

So, blocking access to these ports on the router is the temporary and efficient workaround to this vulnerability. Local Area Network (LAN) sharing activities should be able to keep going normally, and that will be fine for the average user. But all the companies and other users who use DHCP, for instance, better wish for Microsoft to release a patch soon, because they will need their 445 port to continue their normal activities.