SMB Bug In Windows No Killer, But Patch It Anyway

Of all the Microsoft Windows vulnerabilities disclosed this week, the one that should be patched fastest is the flaw in Windows' SMB (Server Message Block), most security analysts say.

Gregg Keizer, Contributor

February 9, 2005

3 Min Read

Of all the Microsoft Windows vulnerabilities disclosed this week, the one that should be patched fastest is the flaw in Windows' SMB (Server Message Block), most security analysts agreed Wednesday. But unlike snap analysis done the day before, now the experts are saying that while the vulnerability is dangerous, it's unlikely to lead to the next MSBlast or Sasser.

Initial analysis Tuesday by security firms such as nCircle described the SMB bug in dire terms, saying that it could lead to a worm that would rival 2003's MSBlast and its global disruption. That was based on the expectation that the vulnerability could be exploited without any user interaction. In that scenario, an attacker would be able to hack into a vulnerable PC simply by sending a malformed packet to it.

Not so.

"That's what we first believed," said Oliver Friedrichs, the senior manager of Symantec's security response team. "But now it looks like there needs to be some client interaction for an exploit to work."

nCircle's director of research, Mike Murray, who Tuesday called the SMB vulnerability the one of the 16 most likely to wreak havoc, agreed. "It's not as serious as we originally thought," Murray said. "The code seems to be vulnerable only on an outbound request to a server, so the exploit would have to trick the host into making such a call."

Creating an attack like that, he said, would be beyond the sophistication of most worm writers. "Luckily, we shouldn't see another MSBlast out of this," he said, "unless there's a substantial jump in the sophistication of the malware writers. But we should still cross our fingers."

Although the experts downgraded the threat posed by the vulnerability, they didn't hesitate to put it at the top of their list for patching. Friedrichs called it an "extremely severe" vulnerability and Murray repeated his warning of Tuesday that it should be the patch first applied by enterprises. The Internet Storm Center also waded in, making the SMB vulnerability its number one priority.

"It appears that the vulnerability lies in the handling of broadcast SMB packets, which mitigates the possibility of this being used for an automated remote attack (i.e., a worm), because broadcast SMB packets should not be routed," wrote Larry Zeltser in the center's analysis. "However, according to the documents available, this may be exploitable by other means (clicking on a specifically crafted URL) and so there is a possibility of having malicious code exploiting this vulnerability dropped into a local network."

One analyst took exception with the consensus. Vincent Gullotto, the vice president of McAfee's AVERT research team, said "this is one of the least critical vulnerabilities because it looks like it would take much more user interaction than first thought." Instead, Gullotto ranked the license logging vulnerability in NT Server, Windows 2000 Server, and Windows Server 2003 as the top threat.

"This is the one we think could most easily have a worm launched against it," said Gullotto, explaining McAfee's concern. "It's highly critical, even though it doesn't impact as many systems as some of the other vulnerabilities," he added.

Once beyond the SMB vulnerability -- or for McAfee devotees, the one related to licensing -- companies should patch the vulnerabilities for which there are already exploits circulating, agreed the analysts.

Those include the fixes for flaws in Internet Explorer -- particularly the drag-and-drop vulnerability that has already been used by hackers to plant malicious code and spyware on systems -- and the fix for the PNG image file format bug in Windows Media Player and Microsoft's instant messaging client.

Of course, these recommendations are snapshots, and could change anytime, the experts warned.

"Frankly, we're still a little hazy about the [SMB] vulnerability," admitted Friedrichs.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights