Microsoft may be forced to release an out-of-cycle security
update for a vulnerability published the same day as the firm
released its September Patch Tuesday update.
Security researcher Laurent Gaffie published
proof of concept code showing how a flaw in Microsoft's file
sharing (SMB2) protocol could be exploited.
The flaw means that an attacker can remotely crash any Windows
Vista or Windows 7 machines with Server Message Block 2.0 (SMB2)
enabled, he said.
According to Gaffie, Windows XP and 2000 are not affected by the
flaw as they do not use SMB2.
"This issue does appear to be remotely exploitable, and
companies should look to patch as a matter of urgency as it
presents a very real danger," said Roger Rawlinson, managing
director assurance at NCC Group.
"Threats from an external perspective will be limited as long as
best practice has been followed in regards to blocking access to
netbios at the external firewalls," he said.
"We expect Microsoft to monitor the extent of exploitation of
this new vulnerability and to provide guidance for workaround,"
said Wolfgang Kandek, chief technology officer at security firm
Qualys.
Microsoft is also working on a security update for a flaw in its
Internet Information Service (IIS) software, which was
disclosed last week.
"Until a patch for this is issued, as a temporary workaround we
suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous
write access immediately," said Ben Greenbaum, senior research
manager at Symantec Security Response.
Those using IIS 7.0 with FTP Service version 6.0 installed
should upgrade to FTP Service version 7.5, said Greenbaum.
The existence of two zero-day vulnerabilities has sparked
speculation that Microsoft will release an out-of-band patch before
its scheduled October security update.
Yesterday, Microsoft issued five security bulletins which
address eight vulnerabilities, six of which are rated as
critical.
The focus is on the Windows operating system family and most
versions are affected.
"The notable exception is Windows 7, which is a pleasant
surprise and most likely an outcome of the additional security
measure implemented in this latest version of Windows," said
Kandek.
MS09-045 and MS09-047 are client-side vulnerabilities affecting
indirectly Internet Explorer and Windows Media Player.
MS09-048 is a network vulnerability located in the TCP/IP
network stack of Windows 2008 and Vista and can be exploited
through the network.
MS09-049 is an attack on the WLan auto-configuration service of
Vista and Windows 2008.
"This requires a malicious access point to be in Wi-Fi range,
which limits the number of machines that can be attacked at any
given time," said Kandek.
Germany-based
Heise Security has confirmed the flaw's effect on Vista, but
said it had no apparent effect on a computer running Windows 7.
Video: Qualys' Wolfgang Kandek and Amol Sarwate discuss
Microsoft's September security updates.