Rush Windows patch for SMB 2 flaw unlikely, says researcher

Computerworld - It's unlikely that Microsoft will ship an emergency fix for a critical Windows vulnerability that the company disclosed earlier this month, a security researcher said yesterday.

The vulnerability in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol, affects Windows Vista and Windows Server 2008, as well as preview versions of Windows 7, including the beta and release candidate, which have been downloaded and installed by millions since January.

The appearance of a public exploit Monday cranked up speculation that Microsoft would plug the SMB 2 hole with a so-called "out-of-band" update, one outside the company's regular monthly schedule. But Dave Aitel, the chief technology officer at penetration testing software maker Immunity, said that's virtually impossible.

In a message to the Dailydave security mailing list, Aitel said that Immunity's researchers had rooted around the public exploit. "I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMBv2 bug early, and our initial assessment is, 'No, they will not,'" said Aitel in a message posted to the list Tuesday.

"Working around this issue in the current public exploit is probably two weeks of work," Aitel added. "At that point, we're nearing Microsoft Tuesday and the need for an out-of-band patch is moot."

Microsoft's next regularly-scheduled Patch Tuesday is Oct. 13, two weeks from yesterday.

Immunity, best known for its CANVAS penetration testing framework, released a working remote code exploit on Sept. 16 to paying subscribers of its Early Updates program. Last Monday, however, attack code went public when Stephen Fewer, a researcher with Harmony Security, added a module to the open-source Metasploit pen-testing toolkit.

One security expert said that the Metasploit move meant in-the-wild attacks are already under way. "This is in the wild now, without question," said Alfred Huger, formerly with Symantec and currently vice president of engineering at security start-up Immunet. "There are a number of automated toolkits that rely on Metasploit as their framework for breaking into end points. The general time to see these pop up on honeypots from the point of public release is nearly always [the] same day."

Kostya Kortchinsky, one of the Immunity researchers who wrote the exploit for the company's CANVAS two weeks ago, wasn't so sure. "In the past, it would be used in the wild pretty soon, one to two weeks, when the exploit was of good quality," said Kortchinsky in an e-mail reply to questions. "But this one is definitely not reliable, and [attackers] might want to improve it a bit, or it will end up in [just] a blue screen."

Unsuccessful attacks against the SMB 2 vulnerability result in the notorious "Blue Screen of Death" on Windows. The public exploit also works only on 32-bit systems, added Kortchinsky; 64-bit versions of Windows crash, but don't give hackers an opening.

Huger countered. "The hackers will be even more incented in this case because it's not patched, it's a free invitation onto every vulnerable system on the Internet," he said. "They have to think Microsoft will move to patch quickly and will be racing against them."

Microsoft has not published a patch timetable, although it has posted automated tools that disable SMB 2 as an ad hoc defense.

But that's not much good, said John Pescatore, a security analyst with Gartner. "For most, the workaround to turn off SMB [2] isn't feasible, so most Vista machines and many Server 2008 machines will be vulnerable," he said.

And if Microsoft doesn't manage to fix the problem by Oct. 13? "If no patch by then, I'd say it is likely there will be stable [attack] code within a few weeks, able to spread and go after vulnerable machines," Pescatore said.

Read more about Security in Computerworld's Security Topic Center.