Some traffic has crossed my radar concerning a 0-day exploit that apparently enables a remote attacker to crash a Vista or Windows 7 system with SMB enabled (and according to subsequent reports, Server 2008). The original post and exploit are claimed to demonstrate the possibility of a Blue Screen Of Death (BSOD) and (normally) an automatic reboot when the SMB2 driver fails to handle malformed headers correctly.

However, subsequent traffic on a specialist mailing list indicates that the underlying vulnerability could also be used to effect remote code execution and local privilege escalation. SecurityFocus has subsequently reported this as a remote code execution vulnerability, and cites a CVE reference CVE-2009-3103, but this isn't listed at CVE (Common Vulnerabilities and Exploits) at time of writing.

According to the Internet Storm Center, a Microsoft advisory has become available: "Microsoft Security Advisory (975497) Vulnerabilities in SMB Could Allow Remote Code Execution", at however, I'm just getting an error message on that URL right now. This vulnerability is not addressed by this month's "Patch Tuesday" updates.

A preliminary analysis from the University of Minnesota passed onto a specialist list suggests that the exploit defaults to 445/tcp, and suggests some possible mitigations:

  • Set firewalls to deny inbound file and print sharing, or set network location to "public"
  • Disable SMB2 (I believe this is enabled by default - DH)

Brian Eckman, the analyst in question, notes that "..the steps taken for servers require a registry change and a reboot, while disabling the SMB2 client appears to only require a couple commands to be run." So administrators on large sites  will need to warn end users and departments before applying mitigation on such machines.

Hopefully, the promised Microsoft advisory will become available shortly: I would expect this to include precise information on short-term workarounds.

David Harley
Director of Malware Intelligence