Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

September, 2009

  • Update on the SMB vulnerability situation

    We’d like to give everyone an update on the situation surrounding the new Microsoft Server Message Block Version 2 (SMBv2) vulnerability affecting Windows Vista and Windows Server 2008.

    • Easy way to disable SMBv2
    • First exploit for code execution released to small number of companies
    • Mitigations that help prevent attacks
    • Status of fixes

    Easy way to disable SMBv2

    Until the security update is released, the best way to protect systems from this vulnerability is to disable support for version 2 of the SMB protocol. The security advisory was updated yesterday with a link to the Microsoft Fix It package that disables SMBv2 and then stops and starts the Server service. (This initial Fix It might prompt you to also restart the Browser service.)  You can also click here:

    Click Here To Disable SMBv2

    To revert the workaround, and re-enable SMBv2, you can click here:

    Click Here To Re-Enable SMBv2

    Disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.

    First exploit for code execution released to small number of companies

    We are not aware of any in-the-wild exploits or any real-world attacks. 

    However, we are aware of exploit code developed by Immunity Inc. and released to customers who subscribe to the CANVAS Early Updates program. We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user.

    The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).

    This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).

    Mitigations that help prevent attacks

    There are a number of mitigating factors that could aid in preventing attacks such as:

    • Enterprise customers can disable SMBv2 using a simple registry script or the Fix It described above. Disabling SMBv2 prevents the vulnerable code from being reached.
    • Consumers (not part of an enterprise network) are protected by the on-by-default firewall included in Windows Vista:
      • The on-by-default Windows firewall protects vulnerable systems
      • The on-by-default Windows firewall allows packets through only if a user explicitly shares a folder or printer.
      • When a Windows Vista user chooses the ‘Public’ firewall setting, the firewall will block packets even if a folder or printer has been shared.

    Status of fixes

    Even with the above mitigations, we’re not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update.  For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing.  They are now in stress testing, 3rd-party application testing, and fuzzing.  We'd sure like to complete all that testing before the update needs to be released.  We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.

    - Mark Wodrich and Jonathan Ness, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • OffVis updated, Office file format training video created

    In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format.

    OffVis 1.1

    The community response to the release of the OffVis tool on July 31st has been great. Thank you for the feedback! We are releasing this new version 1.1 of OffVis in response to that feedback. This release introduces several requested new features and fixes bugs. Here are the highlights:

    • Now requires only .Net Framework 2.0 (1.0 Beta required 3.5, preventing some people from using it)
    • Addressed OLESS loading logic bugs that was leading to false negatives (detection logic misses)
    • Added the detection logic for several more Word and PowerPoint CVE’s, detecting files sent in by customers.
    • Added a “Reallocate” feature (under Tools menu) that makes some corrupted files parse-able
    • Clarified some error message text
    • Prevented OffVis from appearing in a saved location off-screen
    • Cleared highlighting after the parser changes
    • Removed limit on number of parsing notes displayed

    Here is the new list of detected CVE’s:






    MS06-012 (March 2006)



    MS06-028 (June 2006)



    MS06-027 (June 2006)



    MS06-062 (October 2006)



    MS06-048 (August 2006)



    MS06-060 (October 2006)



    MS06-058 (October 2006)



    MS07-014 (February 2007)



    MS07-014 (February 2007)



    MS07-014 (February 2007)



    MS07-015 (February 2007)



    MS07-024 (May 2007)



    MS08-014 (March 2008)



    MS09-010 (April 2009)



    MS09-009 (April 2009)



    MS09-017 (May 2009)

    Please email us any undetected malicious samples that exploit vulnerabilities for code execution. We will evaluate whether we can add detection that can help everyone detect malicious files.

    You can learn more about OffVis from our original blog post about the tool or an article written by Russ McRee in the ISSA journal.  You can download the tool at

    Office legacy binary file format training video

    Bruce Dang and Nick Finco from the MSRC Engineering team put together a 30 minute training that describes the legacy binary Office file format and describes how to parse it. Our Bluehat team agreed to record it and host it on the Bluehat technet site. You can view the video at In less than thirty minutes, they provide in-depth technical guidance, including full-screen demos. This video is geared toward security analysts, virus researchers, IDS signature authors, and security professionals.

    Direct video link:


    Thanks to the many people who made this possible. Kevin Brown and Dan Beenfeldt for the development of OffVis. Robert Hensing and Bruce Dang for tireless hours testing the tool and building and refining detection logic. The MSRC Engineering team for technical investigations leading to these detections. Bruce and Nick Finco for recording the video. Damian Hasse and Matt Thomlinson for the support to release this tool. Celene Temkin and the Bluehat team for the logistical magic to make the video happen. Thanks everybody!

    - Jonathan Ness, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • AutoPlay Windows 7 behavior backported

    Back in April we talked about the Windows 7 improvements in AutoPlay that disables certain functionality which has been abused by malware (like Conficker). We also mentioned that these changes will be backported to down level platforms. On August 25th this functionality was made available for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, please visit the following KB article for more information and how to download the updates

    Thanks to Dave Midturi (from MSRC) and Ugo Enyioha (from Windows Sustained Engineering team) for helping on this work.


    Damian Hasse – MSRC Engineering

    *Postings are provided "AS IS" with no warranties, and confers no rights.*

  • Assessing the risk of the September Critical security bulletins

    This morning we released five security bulletins, all of them having a bulletin maximum severity rating of Critical and two having a bulletin maximum exploitability index rating of "1" (Consistent exploit code likely). We wanted to just say a few words about each bulletin to help you prioritize your deployment this month.

    The following table presents a high-level view of the severity of each of the five Critical bulletins and the platforms at reduced risk:

    Bulletin Primary Attack Vector Max Exploit-ability Index Likely first 30 days Impact Platform mitigations
    MS09-047 IE browsing to malicious website, ASF or MP3 files attached to email.
    Exploit developed for code execution in context of logged-in user. IE8 running on XP SP3 or Vista SP1 at reduced risk due to DEP.

    Windows Server 2003 and 2008 at reduced risk due to Enhanced Security Configuration.

    The hardened heap improvements in Vista and Windows Server 2008 makes exploitation harder.
    MS09-045 IE browsing to malicious website.
    Exploit developed for code execution in context of logged-in user. IE8 running on XP SP3 or Vista SP1 at reduced risk due to DEP.

    Windows Server 2003 and 2008 at reduced risk due to Enhanced Security Configuration.
    MS09-048 Attacker sending stream of malicious TCP/IP packets
    Exploit developed causing a machine resource exhaustion denial-of-service. Windows Vista not affected in ‘Public’ network profile
    MS09-049 Attacker sends malformed wireless frames to nearby workstation.
    Exploit developed causing wlansvc service to crash.

    Windows Server 2008 at reduced risk due to Enhanced Security Configuration.  

    The hardened heap improvements in Vista and Windows Server 2008 makes exploitation harder.

    MS09-046 IE browsing to malicious website.
    Exploit developed causing IE to crash. IE8 running on XP SP3 at reduced risk due to DEP.

    Windows Server 2003 at reduced risk due to Enhanced Security Configuration.

    Information about MS09-045 and MS09-046

    MS09-045 and MS09-046 are both “driveby-style” vulnerabilities. The attack vector is most likely malicious websites hosting specially-crafted javascript (MS09-045) or malicious use of the DHTML ActiveX control (MS09-046) to infect browsing users. Vulnerabilities that confuse the script engine can be tough to reverse-engineer from the update so it may take a while for attackers to discover and weaponize. We still might see a reliable exploit within 30 days, hence the “1” rating for MS09-045. The MS09-046 repro is more straight-forward and is likely to be discovered but it will be more difficult to produce a reliable exploit for code execution.

    Information about MS09-047

    The attack vector for both CVE’s addressed by MS09-047 is most likely again a malicious website but these vulnerabilities could also be exploited via media files attached to email. When a victim double-clicks the attachment and clicks “Open” on the dialog box, the media file could hit the vulnerable code. Both these vulnerabilities were responsibly-disclosed with no attacks known in the wild. However, both are fairly straightforward so it probably won’t take the community long to figure them out. We would not be surprised to see an exploit for one or both of these CVE’s within the first month of release.

    Information about MS09-048

    Next up is MS09-048 addressing vulnerabilities in the TCP/IP stack implementation. To hit the vulnerable code, an attacker must flood a victim with specially-crafted TCP/IP packets inducing one of two denial-of-service outcomes:

    • System runs out of non-paged pool memory (CVE-2008-4609 and CVE-2009-1926)
    • System incorrectly handles the hash value of a connection, crashing in kernel-mode code leading to a reboot / blue-screen-of-death (CVE-2009-1925)

    CVE-2009-1925 is rated Critical because the attacker is forcing the system to call into a random kernel address. However, based on our research, the attacker does not have sufficient control of the address to reliably achieve code execution. You can read all about it in Mark Wodrich’s blog post here. The exploitability rating of this issue is “2.”

    CVE-2008-4609 is the most likely issue from MS09-048 to be further researched as it was a coordinated release between multiple companies having the same vulnerability. Cisco is planning a 10am advisory release this morning as well. Check for more information from them.

    Information about MS09-049

    MS09-049 addresses an issue with the way Windows Vista handles Wireless networking requests. An attacker able to send malformed wireless frames can cause the Windows Vista user-mode service (wlansvc) to crash. This will be tricky to exploit due to Windows Vista’s hardened heap manager. Attacks will most likely crash the service, disrupting the ability to browse for (or automatically connect to) new networks. If already associated to a network, the machine will remain connected. Attacks will not cause the machine to reboot. The community will likely discover the vulnerability; however the Windows Vista heap mitigations will make it difficult to reliably exploit.

    Thanks Mark Wodrich for your analysis of the TCP/IP and Wireless issues that went into this blog post.  Big thanks also to the reviewers who re-shaped this post making it much better than my original: Damian Hasse, Andrew Roths, Greg Wroblewski, Robert Hensing, and Gavin Thomas from the MSRC Engineering team; Mike Reavey from MSRC Operations.

    - Jonathan Ness, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • MS09-048: TCP/IP vulnerabilities

    This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without the risk of RCE.

    The Exploit Index rating for CVE-2009-1925 is 2 (Medium), and this blog post is intended to provide more information on the exploitability of this issue, and the reasons why the risk of RCE is lower than the Critical rating may imply. We also provide information on the new memory exhaustion protections that were implemented to address the DoS vulnerabilities.

    Why is the severity “Critical” in the bulletin?

    The TCP/IP stack is a part of the Windows kernel, and handles low-level networking protocols such as IP, TCP and UDP. The vulnerability tracked by CVE-2009-1925 allows an attacker to cause the TCP/IP stack, under certain conditions, to execute code at an invalid address. This can be done by a remote, anonymous attacker. Since executing at an invalid address is something that could be leveraged by an attacker to gain RCE, we rated the bulletin using this “worst case” impact, hence the Critical severity in the security bulletin.

    Why is the Exploitability Index rating Medium?

    The Exploitability Index is intended to provide guidance to help prioritize patch deployment. The Exploitability Index rating is based on the probability that a reliable code-execution exploit will be created within 30 days of the bulletin release [1]. For various reasons, we do not anticipate a reliable code-execution exploit will be produced for this vulnerability. Specifically:

    • The vulnerability is due to TCP/IP incorrectly using a field that contains a hash value for the TCP connection, and treating the hash value as a function pointer.
    • The hash value is computed using the Toeplitz Hash (described in detail here). This hash algorithm takes a random key as input. The key is not known to the attacker and not under the attacker’s control, which means the resulting hash value is not under the attacker’s control.
    • This effectively means the address which will be invoked as a function pointer is a random value that cannot be predicted by the attacker.
    • An attacker may be able to “spray” kernel memory with their malicious payload, and this would increase the chance that a random address would be within data they control. This would still be unreliable.

    Due to the above, except in staged scenarios where the attacker knows details about the random key used by the target computer, RCE exploits will not be reliable. As a result we assigned a Medium rating in the Exploitability Index.

    Will Denial of Service (DoS) attacks be reliable?

    Attackers will be able to trigger this vulnerability to cause a system crash (bugcheck) when the invalid address is executed – this would a system-level Denial of Service (DoS). Systems that are exposed to untrusted users should be patched to protect against DoS attacks. It is also possible to mitigate against the attacks by using network firewalls that block the attack.

    New protections against memory exhaustion attacks

    With this security update, we are introducing new protections in the TCP/IP stack to prevent memory exhaustion attacks. The new protections are enabled by default on Windows Server 2003 and 2008, but not on Windows Vista. The protections will activate when the system is under severe memory pressure (when the system runs very low on nonpaged kernel memory). At this point, TCP connections will be dropped at random, helping to keep the system operational. This feature can be controlled using netsh and the registry as outlined in KB 974288.

    Servers that are under heavy load during normal operating conditions may experience severe memory pressure that would trigger the new protections. To prevent the new protections from activating and dropping connections, the administrator can follow the instruction in KB 974288 to disable the protections or exclude specific TCP ports.

    To protect systems where the new protection feature cannot be used, a NAT or reverse proxy could shield the system. For example, to protect Windows 2000 systems, a device that is not vulnerable to the DoS attacks could proxy incoming connections.


    1. Microsoft Exploitability Index,

    Updated September 11, 2009: Notes added about KB 974288 to answer customer questions.

    - Mark Wodrich, MSRC Engineering

    Posting is provided "AS IS" with no warranties, and confers no rights.

  • SQL Server information disclosure non-vulnerability

    We’ve gotten some questions about a reported issue with SQL Server exposing plaintext user passwords. We investigated the issue and found that attackers would need administrative control of a SQL Server to extract passwords from it. We checked with the security researchers who reported the issue and they confirmed that this is an information disclosure issue requiring the attacker to first have administrative control of the installation. Therefore, we do not consider this a bulletin class vulnerability. As we have mentioned in previous blog entries, it is impossible to defend against a malicious administrator. In the end, you’ve simply got to trust your legitimate administrators and keep attackers from gaining administrative access (see Immutable Law of Security #6).

    SQL Server 2008 installations actually have reduced exposure to this specific issue as the SQL team has removed specific commands that enable SQL administrators to dump memory from within SQL. And neither SQL Server 2005 nor SQL Server 2008 have SQL authentication enabled by default. (If you use the default Windows Authentication Mode instead of SQL authentication, SQL Server does not receive or store your Windows credentials.) However, any compromised system into which you enter credentials is at risk from a malicious administrator. There are a few other ways for a malicious administrator to gain user credentials. It’s really very difficult to defend a program running on a system where an attacker has full administrative control.

    Thanks Ben Richeson from the MSRC Ops team and Al Comeau from the SQL team for help with this one.

    - Jonathan Ness, MSRC Engineering

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

  • New vulnerability in IIS5 and IIS6

    This afternoon, the MSRC posted a security advisory describing a newly-disclosed vulnerability in the IIS FTP service that could potentially grant remote code execution to untrusted users. You can find the advisory here.

    Vulnerability summary

    The vulnerability is a stack overflow in the FTP service when listing a long, specially-crafted directory name. To be vulnerable, an FTP server would need to grant untrusted users access to log into and create that long, specially-drafted directory. If an attacker were able to successfully exploit this vulnerability, they could execute code in the context of LocalSystem, the service under which the FTP service runs.

    Configurations at risk

    The vulnerable code is in IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). IIS 7.0 (Windows Vista, Windows Server 2008) is not vulnerable. IIS 6 is at reduced risk because it was built with /GS which help protect the service from exploits by deliberately terminating itself when the overflow is detected before attacker’s code runs. We have not seen exploit code for this vulnerability that is able to bypass the /GS protection.

    Also, remember that only servers that allow untrusted users to log on and create arbitrary directories are vulnerable.

    Protecting your servers

    The advisory lists several options to protect your servers from this vulnerability until a fully-tested security update is available. The end result of the workarounds is to prevent untrusted users from having write access to the FTP service. The options presented in the advisory include:

    • Turn off the FTP service if you do not need it
    • Prevent creation of new directories using NTFS ACLs
    • Prevent anonymous users from writing via IIS settings

    The IIS Manager setting to prevent Write access can be found on the following dialog in IIS 5.

    The IIS team's best practices FTP guidance can be found at

    Detecting attacks

    We expect several of our MAPP partners with network-based detection and protection to be able to identify and potentially prevent attacks. For example, you can find snort rules available already at

    You can also detect attacks yourself by examining logfiles.  The exploit issues several commands followed by very long strings. The FTP service, by default, logs commands issued. For example, here is a sample log entry from pointing the proof-of-concept code at an internal server:

    #Software: Microsoft Internet Information Services 5.0
    #Version: 1.0
    #Date: 1111-01-01 22:45:13
    #Fields: time c-ip cs-method cs-uri-stem sc-status 
    22:45:13 [1]USER anonymous 331
    22:45:13 [1]PASS password 230
    22:45:13 [1]MKD JUNK@ÿàC~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñú~ñúEEEE›±ôw~ñúHHHHIIII~ñúJKKKécþÿÿNNNN 257

    You can find these log files, by default, in c:\winnt\system32\logfiles\MSFTPSVC1. If you currently store logfiles on the same machine as the vulnerable service, you may want to reconfigure the service to store them elsewhere to prevent an attacker from cleaning up the logfiles.

    We’d like to thanks Wade Hilmo and Nazim Lala from the IIS team for providing information for this blog post. Brian Cavenah from the MSRC Engineering team also was very helpful in this investigation. Thanks guys!

    - Bruce Dang and Jonathan Ness, MSRC Engineering team

    *Posting is provided "AS IS" with no warranties, and confers no rights.*