Update and Clarifications in Microsoft Security Advisory 935964

Hello everyone,

This is Christopher Budd. I wanted to let you know that we’ve made a revision to our security advisory to provide some additional details and clarifications.

First, though, I wanted to let you know that the situation has not changed. Our teams are continuing to work on developing and testing updates for this issue, and our ongoing monitoring of the situation shows that attacks are still not widespread.

Currently, we are aware of four pieces of malicious software attempting to exploit this vulnerability. However, none of these automatically self-propagate. We have technical details on each of these in our Malicious Software Encyclopedia:

·       Siveras.B

·       Siveras.C

·       Siveras.D

·       Siveras.E

Also, we have an entry with information on the public proof of concept code from this past weekend here:

·       Siveras.A

I’ll note once again that the workarounds in our security advisory are effective against the attacks we’ve seen so far.

We have added one new piece of information to our security advisory. Specifically, we’ve added port 139 to the list of ports you should block for the Firewall and IPSec workarounds.

The other updates we’ve made clarify some of the information already in the security advisory based on customer questions. Specifically we’ve clarified that:

·        All the workarounds are effective against attempts to exploit the vulnerability over RPC, port 445 and port 139.

·        For port 445 and 139, an attacker will need to authenticate using a valid username and password. These do not allow unauthenticated attacks the same way RPC does. However, the guest account, which is disabled by default, could be used if it has been enabled.

·        Customers may encounter issues with DNS Server local administration and configuration using DNS administration tools when the computer name is exactly 15 characters and not 15 characters or more as was first posted. Using the Fully Qualified Domain Name (FQDN) of the computer will avoid this issue.

Our work and monitoring of this issue is ongoing and as always, we’ll let you know when we have more information.

In the meantime, we continue to encourage customers to deploy the workarounds, preferably the registry key workaround, and to update their security products with the latest signatures to help ensure they have the latest protections.



*This posting is provided “AS IS” with no warranties, and confers no rights.*