Microsoft fixes holes in Server Message Block

Updated at 12:50 p.m. PST to clarify that Windows Vista and Server 2008 are not affected by the SMB Buffer Overflow Remote Code Execution vulnerability, but are affected by the other two vulnerabilities.

Microsoft on Tuesday released a security update that fixes three vulnerabilities in the Windows network file-sharing protocol Server Message Block (SMB) that could allow an attacker to remotely take complete control of a system.

Microsoft Security Bulletin MS09-001, part of the Patch Tuesday bulletin for January, is rated critical for Microsoft Windows 2000, Windows XP and Windows Server 2003, and moderate for Windows Vista and Windows Server 2008. Windows Vista and Windows Server 2008 are not affected by the SMB Buffer Overflow Remote Code Execution vulnerability.

The buffer overflow remote code execution vulnerability arises from the way the SMB protocol handles specially crafted SMB packets. Meanwhile, an attempt to exploit the SMB Validation Remote Code Execution Vulnerability would not require a user name or password. Most attempts to exploit those weaknesses would result in a system denial of service, however remote code execution is "theoretically possible," Microsoft said.

Using a firewall and having a minimum number of ports open can help protect networks against attacks, the company said.

"Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability," the bulletin says. "Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports."

Blocking connectivity to the ports may interfere with the function of certain services, including file and print sharing, fax, computer browser, and net log-on.

The SMB Buffer Overflow Remote Code Execution and SMB Validation Remote Code Execution vulnerabilities were reported by an anonymous researcher working with TippingPoint and the Zero Day Initiative. The SMB Validation Denial of Service vulnerability had been publicly reported.

Microsoft had issued a notice on Thursday saying it would issue one security update on Patch Tuesday. A Webcast is scheduled for 11 a.m. PST on Wednesday.

[Penguinisto]

Disjointed sentence up there, it ends: "and moderate for Windows Vista and Windows Server 2008. Windows Vista and Windows Server 2008 are not affected."

Either they are affected (which requires the patch) or they are not (which means the patch would have been rated far lower than "moderate", dontchathink?)

[smilin:)]

Buffer overflow almost always result in a system failure of some sort due to corruption, DEP kicking in etc.. To further leverage a buffer overflow to insert code requires circumventing additional protections that Vista and 2008 have.

Vista/2008 may have the buffer overflow but their architecture means they are not affected by a remote execution vulnerability. Remote execution is considered 'critical'. A non exploitable buffer overflow would be 'moderate'

The statement appears correct although it could use some clarification.

We'll never have software with 60+ million lines of code turn out perfect but MS investment in a more secure architecture seems to be paying off every time some flaw is found somewhere.

[roland827]

They claim it is moderate since most access to Vista systems results in the annoying pop up requesting users to approve or deny access to a particular program. Although this is usually dismissed by people (by clicking ok) and not even read, it can still affect vista due to force of habit by users who are basically just fed up with that popup....

[MSSlayer]

The genius of MS, blame users for getting exploited.

[krillin6]

The Vista User Account Control is stupid, yes. It can also be turned off, which isn't good enough when you want to say users are the issue. Also, UAC should always be turned off; it is annoying.