Initial release: September 9, 2009
On October 13th, Microsoft released security bulletin MS09-050 and a patch to address the issue originally reported in security advisory 975497. This patch should be applied to affected machines as soon as possible.
Since the release of the bulletin, 2 exploits have been released. One is a local exploit that can execute code of the attacker's choice when run locally by a logged in user. The other is an exploit that can execute code of the attacker's choice from a remote location. In light of this, the UISO strongly recommends applying the disable SMBv2 workaround from the advisory or upgrading to Windows Server 2008 R2. Windows Server 2008 R2 is not vulnerable to this attack.
On September 8, Microsoft announced security bulletins MS09-048 and MS09-049. MS09-048 addresses a vulnerability in TCP/IP, and MS09-049 addresses a vulnerability in Windows wireless networking.
Microsoft also released security advisory 975497 to address the active exploitation of a vulnerability in Windows SMB networking. On October 13th, Microsoft released security bulletin MS09-050 to address the issue.
For a complete list of platforms affected, please see the associated Microsoft Bulletin:
NOTE: Microsoft is not patching Windows 2000 SP4 to protect against vulnerabilities in MS09-048, as it would require rearchitecting the operating system.
As of September 17th 2009, the University Information Security Office was not aware of any active exploitation of these vulnerabilities on any university systems.
However, a public exploit for security bulletin MS09-050 that causes Vista and Windows Server 2008 to blue screen is publicly available. There are also reports that a reliable remote code execution exploit has been developed by security researchers.
Run Windows Update immediately.
Use a tool to verify that no patches are missing and that these patches have been successfully applied. Run Microsoft Baseline Security Analyzer (MBSA) to see if any of your systems are missing any of these or other patches. Or use the Secunia Online Software Inspector (OSI) to verify that these patches have been installed correctly.
If you are running Windows 2000, the University Information Security Office recommends that you upgrade to a later Operating System, preferably Windows Server 2008 R2, or isolate and remove the Windows 2000 machine from the network. Although Microsoft says that "extended support" for Windows 2000 lasts until 7/13/2010, with MS09-048 Microsoft is no longer patching all vulnerabilities in Windows 2000. Windows 2008 R2 has significant security improvements that realize the gains of Microsoft's ongoing secure development lifecycle.
For MS09-049: Disable wireless networking until the patch can be applied.
Disable all unnecessary services like file and print sharing.
Ensure your firewall prevents unauthorized access, including properly and narrowly setting the scope of your firewall.
To prevent successful exploitation of a computer with the vulnerability mentioned in security bulletin MS09-050, disable SMB2 according to the mitigation instructions in the bulletin. The computer will continue to use SMBv1. Windows Server 2008 should be running Service Pack 2 before attempting to disable SMB2.