Buffer underflow in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a Server Message Block (SMB) request that contains a filename with a crafted length, aka "SMB Buffer Underflow Vulnerability."
It is unusual to see the amount of attention given to
this update and the speed at which it was released, especially out-of-band.
Thankfully for Server 2008 and Vista, the attacker has to be an authenticated user, but Server 2003 and XP users are not so lucky.
Most firewalls already block RPC traffic from external sources, so that attack vector is somewhat mitigated, but what I am worried about is the possibility of a 0-day worm getting inside an organization and worming around the entire network due to internal/client firewall rules.
It is particularly interesting that they released an update for Windows 7 pre-beta, build 6801, which I believe is going to be the build version given out at the
PDC.
If you are running the beta builds of the
Forefront Stirling TMG that have the
GAPA protection enabled, you are
already protected at the firewall level from the exploit due to the updated definitions already released by Microsoft. You can sort of think of it like
Snort signatures.
I haven't seen Active-eXploits out in the wild yet, but it is only a matter of time.
You can read the Homeland Security National Vulnerability Database report on it
here.
You can read a more in-depth report from the Microsoft Security Vulnerability Research and Defense team on the update
here.
Direct download links to the patch, per OS:
Win 2K SP4
Win XP x86
SP2/
SP3 / x64
RTM/
SP2
Win 2003 x86
SP1/
SP2 / x64
RTM/
SP2
Win Vista RTM/SP1
x86/
x64
Win Server 2008
x86/
x64
Other sites with additional information on the exploit:
SecurityFocus
FRSIRT
SecurityTracker
Secunia
XForce (1 of 2)
XForce (2 of 2)