Tuesday’s security update from Microsoft fixes three related vulnerabilities that affect the way the company’s Server Message Block (SMB) Protocol software handles SMB packets.
It appears that an attempt to exploit the vulnerabilities would not require authentication, allowing an attacker to remotely exploit the vulnerability by sending a network message to a computer running the Windows Server service.
This security update, the only one released by Microsoft as part of its monthly patch batch, is rated “critical” for Windows 2000, XP, and 2003, and “moderate” for Vista and Server 2008.
The flaws could be exploited to install malicious programs; view, change or delete data; or create new, privileged accounts, according to the Microsoft bulletin.
The security update addresses the bugs by validating the fields inside the SMB packets. Microsoft recommends that customers apply the update immediately.
“Such vulnerabilities are very difficult to exploit – not impossible – but difficult, given that they are at the kernel level,” Alfred Huger, vice president of development at Symantec Security Response, told SCMagazineUS.com onTuesday. “The kernel is finicky. Often, attempts to exploit it more often than not will lead to a blue screen, rather than successful exploitation.”
In a comment emailed to SCMagazineUS.com, Shavlik Technologies’ CTO Eric Schultze said: “This vulnerability is similar to what prompted the Blaster and Sasser worms a few years ago. We expect to see a worm released for this in the very near future.”
He added: “The only prerequisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (file and printer-sharing) ports (TCP 139 or 445). By default, most computers have these ports turned on.”
That is, even though the ports are usually blocked on internet firewalls and personal firewalls, they are typically left open in a corporate network.
“If a worm is released, and that worm makes it into a corporate network, it will make Swiss cheese of that network relatively quickly,” Schultze said.