Gartner: Port Sniffing Spike May Signal Effort to Exploit Microsoft SMB Flaw

An analyst with Gartner warned customers that a recent spike in scanning activity on TCP Port 445 may mean attackers are gearing up to exploit a flaw patched last week by Microsoft in the widely used SMB protocol.

Gartner analyst John Pescatore issued the warning this week about an apparent increase in sniffing on Port 445 that occurred last Friday. "The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," Pescatore wrote.

The port is used by the Microsoft Server Message Block (SMB) protocol. Microsoft posted a patch for a critical flaw in SMB on June 14. The patch was contained in security bulletin MS05-027. An attacker could potentially use the flaw to take control of computers over the Internet.

A Microsoft spokesperson said the Microsoft Security Response Center is aware of the spike in sniffing activity.

"As part of the Microsoft Security Response Center process, once they release those patches, they continue to actively monitor the environment. They're always monitoring for any malicious activity. They're not seeing anything that raises any alarm," the spokesperson said.

Among reasons Microsoft isn't overly concerned yet about the spike are that because port scans are non-specific they could indicate searches for a number of other vulnerabilities, many on other platforms; that no exploit code is publicly circulating; and that no customers have reported being attacked.

Pescatore's research note advised customers to accelerate efforts to ensure that all Windows systems get patched, to implement workarounds until patching is complete, and to review firewall settings to make sure Port 445 access is blocked wherever possible.

The Microsoft spokesperson issued similar advice as standard precautions.

Click here to view Microsoft Security bulletin MS05-027.

See also A Look at the Microsoft Security Response Center's Playbook.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.