Microsoft faces two zero-day security flaws

Microsoft may be forced to release an out-of-cycle security update for a vulnerability published the same day as the firm released its September Patch Tuesday update.

Security researcher Laurent Gaffie published proof of concept code showing how a flaw in Microsoft's file sharing (SMB2) protocol could be exploited.

The flaw means that an attacker can remotely crash any Windows Vista or Windows 7 machines with Server Message Block 2.0 (SMB2) enabled, he said.

According to Gaffie, Windows XP and 2000 are not affected by the flaw as they do not use SMB2.

"This issue does appear to be remotely exploitable, and companies should look to patch as a matter of urgency as it presents a very real danger," said Roger Rawlinson, managing director assurance at NCC Group.

"Threats from an external perspective will be limited as long as best practice has been followed in regards to blocking access to netbios at the external firewalls," he said.

"We expect Microsoft to monitor the extent of exploitation of this new vulnerability and to provide guidance for workaround," said Wolfgang Kandek, chief technology officer at security firm Qualys.

Microsoft is also working on a security update for a flaw in its Internet Information Service (IIS) software, which was disclosed last week.

"Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," said Ben Greenbaum, senior research manager at Symantec Security Response.

Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5, said Greenbaum.

The existence of two zero-day vulnerabilities has sparked speculation that Microsoft will release an out-of-band patch before its scheduled October security update.

Yesterday, Microsoft issued five security bulletins which address eight vulnerabilities, six of which are rated as critical.

The focus is on the Windows operating system family and most versions are affected.

"The notable exception is Windows 7, which is a pleasant surprise and most likely an outcome of the additional security measure implemented in this latest version of Windows," said Kandek.

MS09-045 and MS09-047 are client-side vulnerabilities affecting indirectly Internet Explorer and Windows Media Player.

MS09-048 is a network vulnerability located in the TCP/IP network stack of Windows 2008 and Vista and can be exploited through the network.

MS09-049 is an attack on the WLan auto-configuration service of Vista and Windows 2008.

"This requires a malicious access point to be in Wi-Fi range, which limits the number of machines that can be attacked at any given time," said Kandek.

Germany-based Heise Security has confirmed the flaw's effect on Vista, but said it had no apparent effect on a computer running Windows 7.