We’d like to give everyone an update on the situation surrounding the new Microsoft Server Message Block Version 2 (SMBv2) vulnerability affecting Windows Vista and Windows Server 2008.

  • Easy way to disable SMBv2
  • First exploit for code execution released to small number of companies
  • Mitigations that help prevent attacks
  • Status of fixes

Easy way to disable SMBv2

Until the security update is released, the best way to protect systems from this vulnerability is to disable support for version 2 of the SMB protocol. The security advisory was updated yesterday with a link to the Microsoft Fix It package that disables SMBv2 and then stops and starts the Server service. (This initial Fix It might prompt you to also restart the Browser service.)  You can also click here:

Click Here To Disable SMBv2

To revert the workaround, and re-enable SMBv2, you can click here:

Click Here To Re-Enable SMBv2

Disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.

First exploit for code execution released to small number of companies

We are not aware of any in-the-wild exploits or any real-world attacks. 

However, we are aware of exploit code developed by Immunity Inc. and released to customers who subscribe to the CANVAS Early Updates program. We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user.

The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).

This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).

Mitigations that help prevent attacks

There are a number of mitigating factors that could aid in preventing attacks such as:

  • Enterprise customers can disable SMBv2 using a simple registry script or the Fix It described above. Disabling SMBv2 prevents the vulnerable code from being reached.
  • Consumers (not part of an enterprise network) are protected by the on-by-default firewall included in Windows Vista:
    • The on-by-default Windows firewall protects vulnerable systems
    • The on-by-default Windows firewall allows packets through only if a user explicitly shares a folder or printer.
    • When a Windows Vista user chooses the ‘Public’ firewall setting, the firewall will block packets even if a folder or printer has been shared.

Status of fixes

Even with the above mitigations, we’re not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update.  For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing.  They are now in stress testing, 3rd-party application testing, and fuzzing.  We'd sure like to complete all that testing before the update needs to be released.  We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.

- Mark Wodrich and Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*