Microsoft unveils tool for Windows flaw as attack code looms

Company urges users to run single-click tool before hackers exploit "decently wormable" flaw

With attack code that exploits a critical unpatched bug in Windows likely to go public soon, Microsoft wants users to run an automated tool that disables the vulnerable component.

The bug in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, affects Windows Vista, Windows Server 2008 and preview releases of Windows 7 .

When the flaw was first disclosed Sept. 7, it was thought that attacks would only crash PCs, causing the notorious Blue Screen of Death. Since then, however, researchers have figured out how to create exploits that can be used to hijack a vulnerable computer.

Last Wednesday, Miami Beach-based Immunity, which is best known for its CANVAS penetration testing framework, built a working remote code exploit, and released it to paying subscribers of its Early Updates program .

On Friday, Microsoft confirmed that Immunity's exploit worked as advertised. "We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems," said Mark Wodrich and Jonathan Ness, both members of the Microsoft Security Response Center (MSRC) engineering team, on a company blog . "The exploit gains complete control of the targeted system and can be launched by an unauthenticated user."

More worrisome, however, was news that the open-source Metasploit pen-testing software will add attack code this week, according to HD Moore, a noted security researcher and one of Metasploit's makers. Metasploit's exploit code is often used by hackers to build malicious attacks.

According to Kostya Kortchinsky, an Immunity researcher who worked on the CANVAS attack module, the SMB 2 vulnerability is " decently wormable."

That prompted Wolfgang Kandek, the chief technology officer for security company Qualys, to implore Windows users to immediately deploy Microsoft's defensive measure. "The implementation of this workaround is now becoming critical as attackers will have access to the code soon, in the most optimistic case next week," said Kandek on Wednesday.

Microsoft has not yet set a timetable for a patch, but said it is working on a fix. "We're not slowing down our investigation, and are working on an update that can be delivered for all customers," said Wodrich and Ness. "The product team has built packages and [is] hard-at-work testing now to ensure quality."

Until a patch is ready, Microsoft recommended that users run the automated "Fix it" tool posted Friday on its support site. The tool automatically disables the SMB 2 service, rendering any attack moot. That, however, also makes it impossible for PCs to communicate to file servers and network printers using the protocol.

Microsoft has used "Fix it" tools several times recently to help customers protect their machines until it can create and thoroughly test patches. The last time it delivered such a tool was in early July, when it issued a "Fix it" to stymie attacks against Internet Explorer 6 (IE6) and IE7.

The company's next scheduled patch day is Oct. 13, more than three weeks away, but in rare cases, Microsoft releases "out-of-band" updates, usually when it sees attacks actually under way.

So far, it hasn't found any. "We are not aware of any in-the-wild exploits or any real-world attacks," said Wodrich and Ness.

Windows Vista, Windows 2008 and Windows 7 Release Candidate (RC), the preliminary build that was handed out to millions from early May to late August, contain the SMB 2 flaw and are vulnerable to attack. Older editions, such as Windows XP, and the final version of Windows 7, dubbed RTM for "release to manufacturing," are not at risk.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityhackersMicrosoftWindows 7exploits and vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?