Microsoft patched an RCE vulnerability as an emergency. But this happened only after some security partners accidentally disclosed the Server Message Block (SMB) protocol.
The fix from Microsoft addresses a remote code execution vulnerability (RCE). This is because it could allow attackers to execute code on a victim’s server or client. So, analysts considered it to be very dangerous.
“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,” Microsoft explained. So, the new security update corrects the way the SMBv3 protocol handles these special requests. This, way, the company prevents any possibility that a potential attacker could execute code on victim’s server or client.
No interaction needed to spread
SophosLabs consider that the flaw, named SMBGhost, does not require user interaction to spread, so it’s wormable. In fact, WannaCry attackers exploited another such bug in 2017.
Although it did not scan for exposed clients, Kryptos Logic, a security vendor, claimed that about 48.000 servers are at risk right now because of the new vulnerability. So, this could be a very important breach.
In fact, Microsoft had to rush the patch the RCE vulnerability as some of its partners on the Microsoft Active Protection Program offered details on the vulnerability.
Also, its decision came just a few days after it managed to bust the dangerous Necurs botnets. They managed to disrupt it after years of efforts and different types of approaches. In order to do this, researchers performed forensic analysis and also reverse engineering, malware analysis or modules updates. Although it was a major event for Microsoft, it seems they did not have the chance to enjoy this achievement.