News

SMB Exploit Took 7 Years To Fix, Security Pros Say

• By Jabulani Leffall
• November 12, 2008

Eric Schultze, an IT security gadfly, said jokingly that he has been holding his breath for seven years -- waiting for the patch that Microsoft finally delivered on Tuesday.

And Schultze, who is chief technology officer at IT security shop Shavlik Technologies, believes it's about time.

"I used to demonstrate this attack in classroom training events around the country," he said. "It was very eye opening for people to see a very easy-to-use exploit that could result in accessing anyone's computer on their network."

Schultze added that the problem was acknowledged by Microsoft in 2001 but it was never fixed, which "was an equally eye-opening bit of news for the classroom participants years ago."

There were other warnings as well. Hacker-turned-security-researcher Josh Buchbinder (a.k.a. "Sir Dystic") published remote code exploits that revealed the same vulnerabilities that Redmond cited on Tuesday with the SMB fix.

Meanwhile, Symantec Research Manager Ben Greenbaum suggests that the flaw may have its roots eight summers ago at the security conference Defcon 2000. At that event, Veracode Chief Scientist Christien Rioux (a.k.a. "Dildog") released the code.

Greenbaum said in a prepared statement that he didn't know why Microsoft had waited so long to fix the issue.

SMB is an application-borne network protocol enabling shared access to files and serial ports, as well as remote printers. While the flaw affecting SMB was just deemed "important" by Microsoft in its November patch bulletin, Schultze said that the remote code execution implications and the lag time on the patch were "pretty scary."

"The [SMB exploit] should keep IT managers up at night until it's fully patched," Schultze cautioned. "It's like, 'How do I know I haven't already been hacked with this exploit?' [and] 'Who's been accessing my computer without my password?' And the answer is, you really don't know."

Years ago, hackers could use a copy of the SMBRelay program to access a workstation on a typically configured corporate network without scrutiny. Microsoft conceded that previously available "public tools," including a Metasploit module, "have been and are available to perform this attack," according to a blog post. Metasploit is the open source toolkit used by hackers to build attack code. It's also used by security professionals to publish proof-of-concept exploits.

Redmond has yet to respond publicly and specifically about the perceived lag time on Tuesday's patch.

Right after Tuesday's roll out, Schultze had a hunch about the familiar exploit pattern but still wasn't convinced.

"So I tested and confirmed that the patch does indeed address the SMBRelay attack revealed by Dystic in March 2001," he said. "This pretty much means that Microsoft has known of this problem since 2001 and was not able to, or chose not to, fix it until now."

Schultze added that this also means that working exploit code has been available for all operating systems, including Windows NT 4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. However, as Microsoft correctly states, exploitation is mitigated on Vista and Windows Server 2008. That said, Schultze considers the item to be "critical."

There is little insight outside of Redmond as to how Microsoft's patch selection process works. For security researchers who spoke out about the SMB patch, prioritization will continue to be a challenge as far as both the patch release cycle and the installation cycle on the enterprise side.

"Our opinion is that last month's big release, plus the recent out-of-band, high-profile release, used up most of the normal production resources of MSFT's security team and they were only able to QA a limited number of new patches," said Wolfgang Kandek, CTO of Qualys Inc. "However, we do not think that is there is a slowdown in terms of vulnerabilities like this that constitute classes of vulnerabilities that are well known by now, but -- as we've seen -- not necessarily well defended against."