MA-201.112009: MyCERT Alert - Denial of Service Vulnerability in Microsoft Server Message Block (SMB)

1.0 Introduction

A serious vulnerability has been identified in both version 1 and 2 implementation of in Microsoft Server Message Block (SMB). If successfully exploited, this vulnerability will cause the operating system to crash. This vulnerability cannot be exploited to take control of or install malicious software on a user's system.

MyCERT is aware that a '0-day' exploit is available on the internet.

2.0 Impact

By exploiting this vulnerability, an attacker could cause denial of service and crash the victim's computer ('blue screen of death'). This could potentially lead to loss of data that is currently being worked on or unsaved.

3.0 Affected Products

Microsoft Windows operating systems listed below are vulnerable to this vulnerability:

• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems

4.0 Recommendation

At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to disable SMB on affected systems as the workaround.

To implement the workaround that disables the Microsoft Server Message Block (SMB), below are the steps to disable the Microsoft Server Message Block (SMB) v2:

• Go to Network and Sharing Center under Control Panel and click on Change Adapter Settings
  
  
  
  
• Right click on your connected network adapter and click on Properties
  
  
  
  
• Uncheck the File and Printer Sharing for Microsoft Network and hit OK
  
  
  
  
• Users are also advised to block TCP ports 139 and 445 at the firewall

MyCERT would like to advise the users of the Windows Operating systems to be vigilant of the latest security announcements by Microsoft and ensure that they automatically update the operating systems. Article on how to enable the auto update feature can be obtain from the following URL: http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web : http://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/977544.mspx
• http://isc.sans.org/diary.html?storyid=7597
• http://isc.sans.org/diary.html?storyid=7573