General Discussion

[Vista/2008/Windows7 SMB2 BSOD 0-Day]

FYI...

Vista/2008/Windows7 SMB2 BSOD 0-Day
- http://isc.sans.org/diary.html?storyid=7093
Last Updated: 2009-09-08 13:09:06 UTC - "... vulnerability affecting Microsoft SMB2* can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out. We have confirmed it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall. Windows 2000/XP are NOT affected by this exploit..."
* http://en.wikipedia.org/wiki/Server_Message_Block#SMB2

 

[Microsoft Security Advisory (975497)]

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://boards.cexx.org/index.php?topic=11831.new#new

- http://www.symantec.com/connect/blogs/bsod-and-possibly-more
September 15, 2009

 

[SMB2 remote exploit released]

FYI...

SMB2 remote exploit released
- http://isc.sans.org/diary.html?storyid=7141
Last Updated: 2009-09-16 21:15:36 UTC - "... 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems... Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines. If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating. So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here*..."
* http://www.microsoft.com/technet/security/advisory/975497.mspx

- http://www.theregister.co.uk/2009/09/16/windows_vista_exploit_released/
16 September 2009

 

[Microsoft Security Advisory (975497)]

FYI...

Microsoft Security Advisory (975497)
Vulnerabilities in SMB Could Allow Remote Code Execution
- http://boards.cexx.org/index.php?topic=11831.new#new
"...automated Microsoft Fix it solution" available.

 

[Metasploit exploit module released]

FYI...

Metasploit exploit module released
- http://www.symantec.com/security_response/threatconlearn.jsp
"... tracking a remotely exploitable vulnerability affecting the SMB kernel component ('srv2.sys'). Microsoft has reported that Windows Vista (SP1 and SP2) and Windows Server 2008 are affected. Reportedly, some beta builds of Windows 7 may also be affected.

On September 28, 2009, a remote code-execution exploit Metasploit module was released publicly. Attackers may be able to convert this module into other exploits and use it in the wild. We strongly advise users to block TCP port 445 immediately until patches are available. The researcher who discovered the flaw has stated that file sharing must be enabled for the issue to be exploited. Unless file sharing is explicitly required, users should disable it..."

- http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx
Updated: October 14, 2009

- http://www.microsoft.com/technet/security/advisory/975497.mspx
Updated: October 13, 2009