Microsoft’s advisory on the SMB driver issue is now available. As expected, it includes some comments on mitigation, but they’re rather fluffy.
- It advocates "Firewall best practices and standard default firewall configurations", which "can help protect networks from attacks that originate outside the enterprise perimeter," and suggests exposing a "minimal number of ports". Well, duh… I’d expect any firewall administrator in today’s world to adopt a "deny all" configuration, in which you start with a firewall policy that blocks everything and add only the ports that are necessary for normal functioning.
- It does say that "In this case, the SMB ports should be blocked from the Internet". I thought at first that it wasn’t going to tell us which ports those are, but it does, in fact, mention TCP ports 139 and 445 elsewhere in the advisory. It doesn’t mention the implications for those sites that still support NetBIOS for older machines, though, which could be a concern. See http://go.microsoft.com/fwlink/?LinkId=21312 for more information on Microsoft’s TCP and UDP port assignments.
- As Brian Eckman mentioned, you can set the network profile in Vista "Public", so that unsolicited inbound network packets are blocked by default, which should bypass the exploit.
The advisory also states that "Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability."
In addition, a number of rather more detailed workarounds are suggested, along with the implications of reduced functionality that goes with each one. Sysadmins please read…
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Author David Harley, ESET