Exploit code for an unpatched vulnerability in Microsoft SMBv2 has been released publicly. The exploit was originally discovered on September 8th but initially kept private. Apparently it fell into the wrong hands and was made public earlier today. This has likely escalated Microsoft's work on a patch to resolve the vulnerability. According to a September 18th blog post from Mark Wodrich and Jonathan Ness of MSRC Engineering, Microsoft had "already completed over 10,0000 separate test cases in their regression testing" and were in the process of "stress testing, 3rd-party application testing, and fuzzing." That post was 10 days ago, so assumedly Microsoft is now edging closer to releasing a patch.

According to the Microsoft Security Advisory (975497) detailing the vulnerability, the following operating systems are impacted:

• Windows 7 Release Candidate
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Because the vulnerability exists only in v2 of SMB, Windows XP and Server 2003 (which use SMBv1) are not impacted.

The good news is those who have tested the exploit claim it is only able to remotely execute code on vulnerable systems when those operating systems are run in VMware environments. If run on a physical machine, allegedly the public exploit code simply causes the machine to crash - admittedly a still-serious form of denial of service attack, but an improvement over remote code execution. If true, this lessens the likelihood of a wormable exploit (at least based on the code as it currently exists).

In the interim, Microsoft has provided mitigation advice and workarounds in Microsoft Security Advisory 975497. That advice includes modifying the system registry to disable SMBv2 (file sharing will revert to SMBv1 which is not vulnerable to the exploit). Microsoft has also provided "Microsoft Fix It", an automated online tool to disable (or re-enable) SMBv2.

Currently ScanSafe is not aware of in-the-wild exploit of the vulnerability but continues to monitor the situation closely.