Saw this article on e-week. I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
E-Week Article
Printable View
Saw this article on e-week. I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
E-Week Article
Hey Hey,
Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..
The scary part is the fact that this is a pre-auth problem, so anyone can exploit it.
I'd be more inclined to think that this was the result of the recent release of an exploit for MS05-011 which also targets SMB... It's quite possible that they're seeing the increase of traffic from this new toy and because of the recent announcement of MS05-027 it's be interpreted as an exploit for it..
I guess only time will tell... but if it is live already, I'd appreciate any information anyone has on it.. There has been a thread regarding this exploit on GSO and the most popular opinion is that it'll be Worm time again... and I could see it happening, so when the exploit is released it'd be nice to have a bit of a heads up to start watching for the worm...
Anyways... thanks for the article
Peace,
HT
Actually the bigger problem is that while the company found the exploit they were probably not the first person to find it. The problem comes right there because the first, (few), people to find it probably used it - for a while - and didn't tell anyone.Quote:
Considering this was a privately found exploit by a company that I really couldn't see releasing the technical details, this seems pretty fast to have a live exploit already... then again... there's a lot of people out there with nothing better to do..
The "quiet" crackers have their "private" 0 days that they use at will and often for profit. Their biggest fear for their private 0 days is someone with ethics finding them and publicise them so that they are patched against. Once that happens some will publish for "props" in the community... Might as well get one last "gasp" out of thier work I suppose.... :rolleyes:
All you need is the patch itself. It provides a perfect roadmap to the vulnerable code, once the patch is out, exploits are right behind it.
-Maestr0
According to the SANS internet Storm Center, it looks like it's most likely exploit for MS05-011, since that was released yesterday. Everyone should be patches against that (right?), so it's less of a concern than if it's -027.
Except NT machines are potentially vulnerable (again).
That particular exploit indicated that it was for Windows 2000 - it didn't mention XP. Since I guess most Windows 2000 clients are sitting behind corporate firewalls, then that would limit its use somewhat.
Still.. keep auditing and patching, eh?
Patching, as always.
And how many times have we all been bitten by a small hole (such as VPN) in our corporate perimeter being used as an infection vector to compromise all of our unpatched PCs?
Found this, thought it underscored my point perffectly.
http://www.sabre-security.com/produc...ndiff_png.html
-Maestr0
Hi,Quote:
Originally posted here by Timmy77
I suspect it's mostly FUD, but just so everyone's aware and keeping an eye out for suspicious activity.
Pretty much is fud! SMB is designed for sharing resources on a LAN and I can't think of any reason why you would want to open it up at the firewall. If you have left it open, you are already owned :eek: and should be spending time drawing up your CV rather than trying to block the gaping mousehole you have left in your system.
Port scanning is just foo you have to deal with and if you have detected it increasing then whoever's smurfing you out doesn't know diddly from squat so you are probably ok. it's the ones you don't detect you have to worry about.
But even if you block SMB ports on the firewall (which I have to admit you would be STUPID not to do), all it takes is one user who get's his laptop 0wned while on the internet at home to bring it into the office and you are comprehensively stuffed.
We are also seeing viruses now that drop an LSASS or DCOM worm behind the firewall after being delivered by email, so it's possible that any publically available exploit could be delivered in that way.
It's not just MS05-027 that is a risk (although it's the biggest risk) as there are a whole batch of holes announced so far this year that are worrying.