If your not doing it already, there is yet another good reason why blocking TCP port 445 is a good idea. A new exploit ( http://seclists.org/fulldisclosure/2009/Sep/0039.html ) has been made public which has been reported as causing a crash on Windows Server 2008 but we have not verified this, but we have tested it as affecting both Vista and Windows 7. In most cases the system will restart after the crash causing a DOS attack.

Other reports ( http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15 ) suggest that this causes more than a crash and it results in remote code execution, which if true usually lead to new forms of malware spreading very rapidly.

TCP port 445 is commonly used for Windows shares which is generally not required over the Internet, and is frequently utilised for spreading malware. A recent notable case being Conficker which would scan for and infect vulnerable systems on this port. There is no patch for this latest vulnerability and the only way to prevent remote attackers causing this exploit is to prevent them from accessing your systems on TCP port 445, this is usually done on firewalls.

This entry was posted on Monday, September 21st, 2009 at 10:49 am and is filed under Advisories. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.