Windows Server SMB zero-day exploit released after Microsoft failed to issue patch for three months
US CERT recommends blocking all outbound SMB connections until Microsoft (finally) issues patch
An exploit taking advantage of a Microsoft Windows Server zero-day security vulnerability has been released into the wild after the company failed to issue a patch, despite having been warned of the problem three months ago.
The proof-of-concept exploit, dubbed Win10.py, was released on Github five days ago by security researcher Laurent Gaffie.
According to US CERT, the vulnerability is "a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system".
It continues: "Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.
"By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2."
US CERT recommends blocking outbound SMB connections - TCP ports 139 and 445 along with UDP ports 137 and 138 - from the local network to the wide area network.
Despite the publication of the proof-of-concept code last week, Microsoft still hasn't issued a patch, or revealed when a patch will be ready.
In response to suggestions that it was irresponsible to publicise the security flaw and to publish the exploit, Gaffie suggested that the responsibility lies with Microsoft. "If I'm not rewarded in any way for the free work I'm doing for this multi-billion company, why should I tolerate them sitting on my bugs?" he asked over Twitter.
If i'm not rewarded in any way for the free work I'm doing for this multi-billion company, why should I tolerate them sitting on my bugs?— Responder (@PythonResponder)February 1, 2017
Further reading
More on Security
Thank Zuck it's Friday #9 - Home Office 'super database', the software reseller claiming £270m from Microsoft and social media data breaches
This week on the IT news podcast the team discusses the Home Office's 'super database' on race, health and biometrics, the British software reseller bringing at £170m claim against Microsoft and the recent data breaches involving both Facebook and LinkedIn....
Understanding what drives teen hackers is key to securing your business, says cyber expert Shelton Newsham
Natural curiosity can lead some to open some wrong doors
Nearly 500 million LinkedIn users' details posted for sale online
The hacker included 2 million records as proof that they have what they claim
Securing your investment in Microsoft 365
There’s a lot of sensitive data contained in Office documents - so it makes sense to take care of it
Booking.com fined €475,000 for late reporting of data breach
Travel firm delayed reporting the breach by 22 days, exceeding the 72-hour limit
Most read
