News

CERT Warns of Windows Shares Vulnerability

• By Scott Bekker
• March 12, 2003

The security researchers at CERT are finding an increase in reports of Windows 2000 and Windows XP system compromises due to poorly protected file shares. Attackers are exploiting weak or missing passwords on Administrator accounts on Server Message Block (SMB) file shares.

"This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target," CERT warned in a bulletin issued Tuesday evening.

As is often the case with such vulnerabilities, the wider spread of automated attack tools makes the misconfiguration easier to exploit even for unsophisticated attackers. Tools recently used to scan for vulnerable systems include W32/Deloder, GT-bot, sdbot and W32/Slackor, according to the CERT/CC.

Windows uses the SMB protocol to share files and printers with other computers, and in Windows 2000 and Windows XP, SMB can be run directly over TCP/IP on port 445/tcp. Attackers have been targeting blocks of IP addresses known to have heavy concentrations of poorly protected systems, and have been harvesting compromised systems for Distributed Denial of Service attacks and other purposes.

The CERT/CC recommendation list for the problem is the standard set of remote user security reminders -- making sure Windows 2000 and Windows XP users create strong Administrator passwords, run anti-virus products, avoid programs of unknown origin, deploy a firewall, and filter traffic.

The full CERT/CC advisory can be found at: www.cert.org/advisories/CA-2003-08.html.