Experts say beast hiding in Microsoft Patch Tuesday vulnerability

Microsoft's Patch Tuesday dropped in on 2009 with a whisper revealing only a single patch covering three vulnerabilities with the Windows operating system's Server Message Block Protocol.

But it is the nature of the possible exploit of those vulnerabilities that could have IT screaming for mercy, according to security experts.

While the patch is rated critical, Microsoft's new exploitability index gives patch MS09-001 only a three, meaning that exploit code is unlikely. None has been posted online although some experts are seeing discussions on hacker sites.

Despite the seemingly light fare, experts say that IT should not be lackadaisical in applying the patch. An attacker does not need to steal any passwords in order to take over a machine or perform a denial-of-service (DoS) attack. Two of the vulnerabilities covered can lead to remote code execution while the third can lead to the DoS attack.

"In today's bulletin, the attacker does not require any credentials," says Amol Sarwate, manager of the vulnerabilities research lab at Qualys. "The vulnerable SMB ports are almost always guaranteed to be open for Windows to function properly so I would say this one is pretty serious."

And given the fact that the vulnerability is present on the Windows Server OS, there is no user intervention that has to occur before machines can be hacked. Just the mere presence of the server on the network makes it vulnerable.

The patch is listed "critical" on Windows 2000, XP and 2003 because NetBios is turned on be default, but only moderate on Vista and Windows Server 2008 where NetBios is off by default.

Many corporate machines have NetBios open because it is used to do remote management on a computer.

"This one scares me – a lot," says Eric Schultze, CTO of Shavlik Technologies. "It is a lot like Blaster and Sasser. It is the same exploit vector. If I am an attacker and I can touch NetBios then I can execute code with no credentials."

Don Leatham, senior director of solutions and strategy for Lumension, however, adds that the SMB vulnerabilities addressed by MS09-001 "are not wormable."

The SMB technology was also highlighted in Microsoft's November 2008 patch release, which included patch MS08-068 that closed a hole that had existed for seven years.  

In addition to the first patch of 2009, Microsoft released an update to its Malicious Software Removal tool.

Microsoft also did not release a patch for the SQL Server vulnerability that came to light late last month.  The bug affects SQL Server 2000, 2005, 2005 Express Edition, SQL Server 2000 Desktop Engine, Microsoft SQL Server 2000 Desktop Engine and Windows Internal Database.