Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Windows Exploit Released, But Experts Downplay Danger

    By
    Ryan Naraine
    -
    June 24, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Amid conflicting reports on the extent of sniffing activity on TCP/IP Port 445, the port associated with a recently patched Windows vulnerability, security experts are warning that exploit code targeting a known Server Message Block flaw has been posted on the Internet.

      The exploit code, published on the FrSIRT (French Security Incident Response Team) Web site, could be used to target the “critical” vulnerability addressed in Microsoft Corp.s MS05-011 bulletin.

      /zimages/6/28571.gifRead more here about Microsoft patching a critical SMB flaw.

      That bulletin, which was released in February with patches for affected Windows 2000, Windows XP and Windows Server 2003 systems, corrects a weakness in Microsofts SMB protocol implementation but it is entirely separate from the SMB (Server Message Block) fixes dropped off on Patch Day this month.

      Earlier this week, researchers at Symantec Corp.s DeepSight Network warned that a noticeable surge in scans on Port 445 just one week after Microsofts SMB patch was an ominous sign that a mass code execution attack may be imminent.

      In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers and serial ports, and also to communicate between computers. Any spike in sniffing activity on that port automatically sets off alarm bells, but security experts caution against overly dramatizing the potential for real danger.

      Officials at the Washington-based SANS ISC (Internet Storm Center), which tracks malicious Internet activity, say they have been unable to verify Symantecs port-scanning noise.

      “There are always little bumps and random noise [on Port 445], but its not always related to a specific vulnerability or issue. I dont know what Symantecs sensors detected, but weve only really seen a big jump in scans on one day,” said SANS ISC director Marcus Sachs.

      The centers Port 445 activity graph shows a dramatic jump in sniffing on May 13 but nothing out of the ordinary since then.

      In an interview with Ziff Davis Internet News, Sachs said it is easy to misread scanning activity of Port 445 because it is a “very active port” used for all kinds of internal network communication.

      With the publication of an active exploit, Sachs recommended that enterprise IT administrators speed up patch deployment and other protection workarounds. But he insisted that there was no need for panic.

      “All hell is not about to break loose. The Internet isnt about to collapse,” Sachs said.

      More than anything else, the increased awareness caused by the DeepSight data should be a “gentle warning that you should always be vigilant,” Sachs added.

      John Pescatore, vice president of security research at Gartner Inc., said the Symantec DeepSight reports of increased sniffing are a “serious concern for enterprise security managers” because such activity usually means a mass attack is imminent.

      In a notice to enterprise clients, Pescatore urged that all firewall policies be immediately reviewed to ensure that Port 445 access is blocked wherever possible. He also recommended that all intrusion prevention system filters, both network- and host-based, be updated to block SMB-related hacker attacks.

      Sachs echoed the Gartner guidance and warned that other public exploits for Windows holes are making the rounds. “This reinforces the fact that the window is narrowing rapidly from the time a patch comes out and the time an exploit is created and released. It used to be months before we heard of an exploit, but now its down to days, or in extreme cases, a few hours after the patch.”

      “We know theres a working exploit out there, and that should be a nudge to everyone to put protections in place. There has been ample time to do the required tests before patching, and its always good policy to block Port 445 at the gateway anyway,” Sachs added.

      Gartners Pescatore stressed that network attacks follow a “highly predictable timeline” that includes port-scanning hacker reconnaissance. In the past, he said attackers have reverse-engineered software patches to create and circulate exploit code. Once that is done, the underworld will start scanning associated ports to pinpoint vulnerable systems before launching a mass attack.

      “The Port 445 activity may indicate that—in the week since Microsoft released the Windows patch—attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol,” Pescatore warned.

      Microsoft does not appear to be overly worried about the Port 445 scanning chatter. A company spokeswoman said engineers at the Microsoft Security Response Center have not received any indication of malicious activity associated with the most recent SMB patch.

      “Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products,” she added.

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×