UPDATE: This has been corrected as of March 12 Details are as follows This article first appeared on March 11, 2019
Just before distributing yesterday's Patch Tuesday fix, Microsoft mistakenly disclosed a new flaw in Windows, and then for some reason decided not to fix it
The vulnerability, like the 2017 NotPetya and WannaCry worms, allows malware to "worm" its way through corporate computer networks and possibly the Internet However, even if this worm were exploited, it would not be as devastating as these two worms
The flaw affects only Windows 10 versions 1903 and 1909 and Windows Server 2019; you can check if you are running either 1903 or 1909 by going to Settings, then System, then About
Until Microsoft releases a patch for this flaw, your best bet is to manually disable port 445 in the Windows Firewall Here is how to do it (Make sure you are logged in as an administrative user)
The downside of blocking port 445 is that you will not be able to share connections to printers or files with other PCs on the same local network
This flaw is related to the Server Message Block protocol version 311, aka SMBv3 In Microsoft's security advisory, the software maker considers this a "critical" "remote code execution vulnerability" and states that "an attacker who successfully exploits the vulnerability could gain the ability to execute code on a target SMB server or SMB client, that is, a computer using SMBv3 or server," adding that "an attacker could gain the ability to execute code on the target SMB server or SMB client"
Security firm Fortinet, which presumably has advance information about Microsoft's Patch Tuesday update, yesterday announced that the flaw is a "Microsoft described it as a "buffer overflow vulnerability in SMB servers
A buffer overflow is a fairly routine software flaw that occurs when a program exceeds its allotted capacity in the system's execution memory When an overflow occurs, the overflow drains to a memory area allocated to another program or to an unallocated memory area As a result, code in the overflowed area can execute code in the first program [The vulnerability results from an error in the vulnerable software's handling of maliciously crafted compressed data packets," Fortinet wrote
"A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the applicationCisco's Talog blog noted in its summary of Microsoft's Patch Tuesday update that "exploitation of this vulnerability opens the system to a "worm attack"
The Talog blog post has since been removed and replaced with a new version that does not mention the SMB flaw
So should we run around screaming? Probably not, as Jake Williams, founder of Rendition Security and a minor information security legend known as MalwareJake, tweeted yesterday, "This is serious, but it's not WannaCry 20"
"There are few systems affected and no exploit code readily available," Williams added The hysteria is unwarranted"
On March 12, Microsoft quietly distributed an update to address the "Microsoft Server Message Block 311 protocol issue," or this very serious vulnerability
If your Windows 10 version is 1903 or 1909 and Windows Update is set to automatically download and install security patches, simply leave your computer running for a few hours
If Windows Update is set to wait until you manually install updates, or if you are simply impatient, go to Settings -> Update and Security -> Windows Update and click the "Check for Updates" button
Comments