Microsoft Offers 'Fix It' Option Disabling SMB Protocol
While not quite a patch, Microsoft updated its security advisory by telling users to cut support for the SMBv2 protocol, accompanied by a link to the Microsoft "Fix It" package disabling the SMBv2 protocol and then stopping and starting the Server service.
Specifically, the SMBv2 vulnerability, which affects Windows Vista and Windows Server 2008, stems from an error in the way that the Microsoft SMBv2, a network file sharing protocol, parses SMB requests. By disabling the SMB function, however, Microsoft warned that connections between Windows Vista and Windows Server 2008 machines might be slowed.
Microsoft first reported the critical SMB vulnerability on Sept. 8.
Thus far, Microsoft said that it is still not aware of any attacks in the wild.
However, Microsoft confirmed on a company blog post that Miami Beach, Fla.-based security company Immunity published reliable exploit code that it released to a small group of CANVAS (the company's vulnerability testing software) Early Updates program subscribers.
"This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers," Microsoft said in company blog post. "We are aware that other groups are actively working on exploit code which is likely to be made public when it is exploited."
If it falls into the wrong hands, the exploit code could feasibly be used by remote attackers to compromise and take complete control over affected 32-bit Windows Vista and Windows Server 2008 systems, generally to steal information or launch denial of service attacks that could restart or crash a user's PC.
Users can apply some mitigation techniques. In addition to disabling SMBv2 via Microsoft's Fix It, enterprise customers also can disable the protocol by using the registry script. Additionally, Microsoft said that consumer systems will be protected by an on-by-default firewall in Windows Vista that only allows packets through if a user explicitly shares a folder or printer.
Meanwhile, Microsoft said that it was still working on a patch for the SMB vulnerability, which will likely either be released during the October monthly update cycle or as an out-of-band patch.
"Even with the above mitigation, we're not slowing down our investigation, and are working on an update that can be delivered for all customers," Microsoft said, adding that the Microsoft Response Center engineering teams are now in the fuzzing stages after completing more than 10,000 test cases in their regression testing. "We'd sure like to complete all that testing before the update needs to be released. We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers."