Rush Windows patch for SMB 2 flaw unlikely, says researcher
Don't look for Microsoft to fix the vulnerability early, argues Immunity's CTO
Computerworld - It's unlikely that Microsoft will ship an emergency fix for a critical Windows vulnerability that the company disclosed earlier this month, a security researcher said yesterday.
The vulnerability in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol, affects Windows Vista and Windows Server 2008, as well as preview versions of Windows 7, including the beta and release candidate, which have been downloaded and installed by millions since January.
The appearance of a public exploit Monday cranked up speculation that Microsoft would plug the SMB 2 hole with a so-called "out-of-band" update, one outside the company's regular monthly schedule. But Dave Aitel, the chief technology officer at penetration testing software maker Immunity, said that's virtually impossible.
In a message to the Dailydave security mailing list, Aitel said that Immunity's researchers had rooted around the public exploit. "I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMBv2 bug early, and our initial assessment is, 'No, they will not,'" said Aitel in a message posted to the list Tuesday.
"Working around this issue in the current public exploit is probably two weeks of work," Aitel added. "At that point, we're nearing Microsoft Tuesday and the need for an out-of-band patch is moot."
Microsoft's next regularly-scheduled Patch Tuesday is Oct. 13, two weeks from yesterday.
Immunity, best known for its CANVAS penetration testing framework, released a working remote code exploit on Sept. 16 to paying subscribers of its Early Updates program. Last Monday, however, attack code went public when Stephen Fewer, a researcher with Harmony Security, added a module to the open-source Metasploit pen-testing toolkit.
One security expert said that the Metasploit move meant in-the-wild attacks are already under way. "This is in the wild now, without question," said Alfred Huger, formerly with Symantec and currently vice president of engineering at security start-up Immunet. "There are a number of automated toolkits that rely on Metasploit as their framework for breaking into end points. The general time to see these pop up on honeypots from the point of public release is nearly always [the] same day."
Kostya Kortchinsky, one of the Immunity researchers who wrote the exploit for the company's CANVAS two weeks ago, wasn't so sure. "In the past, it would be used in the wild pretty soon, one to two weeks, when the exploit was of good quality," said Kortchinsky in an e-mail reply to questions. "But this one is definitely not reliable, and [attackers] might want to improve it a bit, or it will end up in [just] a blue screen."
Unsuccessful attacks against the SMB 2 vulnerability result in the notorious "Blue Screen of Death" on Windows. The public exploit also works only on 32-bit systems, added Kortchinsky; 64-bit versions of Windows crash, but don't give hackers an opening.
Huger countered. "The hackers will be even more incented in this case because it's not patched, it's a free invitation onto every vulnerable system on the Internet," he said. "They have to think Microsoft will move to patch quickly and will be racing against them."
Microsoft has not published a patch timetable, although it has posted automated tools that disable SMB 2 as an ad hoc defense.
But that's not much good, said John Pescatore, a security analyst with Gartner. "For most, the workaround to turn off SMB  isn't feasible, so most Vista machines and many Server 2008 machines will be vulnerable," he said.
And if Microsoft doesn't manage to fix the problem by Oct. 13? "If no patch by then, I'd say it is likely there will be stable [attack] code within a few weeks, able to spread and go after vulnerable machines," Pescatore said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts