Hackers May Force Microsoft’s Hand on SMB2 Bug

Microsoft is working feverishly to patch a zero-day bug in a key Windows networking protocol disclosed in early September, but isn’t finished testing it yet.

Now, Microsoft’s (NASDAQ: MSFT) security wranglers have received notice that they’d better get a move on.

This week, a hacker uploaded an exploit that takes advantage of the bug in what’s called Server Message Block version 2 (SMB2) and incorporated it into the Metasploit Framework, a popular hackers’ tool. With it, an attacker would be able to take complete control of users’ PCs.

The zero-day bug first surfaced on September 8, when Microsoft issued a Security Advisory warning that versions of Windows that use SMB2 are at risk.

SMB1 implementations, used in older versions of Windows, including Windows XP and Windows 2000, are not susceptible to the bug. Additionally, the release versions of Windows 7 are also safe from the exploit.

That, however, leaves Windows Vista, Windows Server 2008, and the “release candidate” of Windows 7, which is no longer available for download but will function until June 2010. Originally, the hacker who discovered the SMB2 security hole thought that the final release version of Windows 7 was also susceptible to the problem but Microsoft said its researchers quickly disproved that assertion.

SMB is a network protocol used to provide sharing of files, printers, and other communications on a network.

Although Microsoft’s early September advisory provided two workarounds, which both basically disable use of SMB2, the company has not yet released the patch that it promised in the original advisory.

In addition, the company’s security researchers have been mum so far about the latest twist in the continuing SMB2 story, except to reiterate what they’d said in the earlier advisory.

“Microsoft is unaware of any attacks trying to use the reported vulnerability or of customer impact,” Christopher Budd, security response communications lead for Microsoft, said in an e-mailed statement.

A post a week and a half ago on Microsoft’s Security Research and Defense blog, however, did provide a glimpse into the bug fixing process.

“The product team has so far already completed over 10,000 separate test cases in their regression testing,” the blog post said.

The next statement in the post may be telling.

“We are keeping a close eye on the changing landscape and balancing this against the remaining test actions to determine the best ship schedule to bring a quality update to customers,” the post said.

Microsoft officials still decline to name a release date for the upcoming patch.

News Around the Web