With exploit code in circulation and facing a race against time to fix the SMB v2 vulnerability haunting Windows Vista and Windows Server 2008, Microsoft today shipped a one-click “fix-it” workaround to help users avoid malicious hacker attacks.
The fix-it package, which was added to Redmond’s pre-patch advisory, effectively disables SMBv2 and then stops and starts the Server service. It provides temporary mitigation from remote code execution attacks targeting the known — and still unpatched — vulnerability.
Microsoft cautioned that disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.
The company also confirmed that the exploit code released into Immunity’s Canvas pen-testing platform works as advertised:
We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user.
The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).
This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).
If reliable exploit code is released to the general public — a strong likelihood –it’s only a matter of time before malicious hacker attacks surface in the wild. In the meantime, it’s incumbent on Microsoft to ship an out-of-band patch as soon as possible.
Microsoft’s Jonathan Ness hinted that an emergency patch may be forthcoming but it depends entirely on how soon the patch can pass quality assurance testing:
[We’re] not slowing down our investigation, and are working on an update that can be delivered for all customers. The product team has built packages and are hard-at-work testing now to ensure quality. It takes more testing than you might think to release a quality update. For this update, the product team has so far already completed over 10,000 separate test cases in their regression testing. They are now in stress testing, 3rd-party application testing, and fuzzing. We’d sure like to complete all that testing before the update needs to be released. We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers.
In the absence of a patch, here’s what you can do:
To revert the workaround, and re-enable SMBv2, you can:
Mitigation guidance for enterprises are available in this blog post and in the Microsoft security advisory.