Tuesday's 115-Fix Day was Not Enough: Microsoft Emits OOB Crisis SMBv3 Worm-Cure Patch
martyb writes:
Designated CVE-2020-0796, the bug can be exploited by an unauthenticated attacker to execute malicious code, at administrator level, on an un-patched system simply by sending the targeted system specially crafted compressed data packets. A hacker thus just needs to reach a vulnerable machine on the internet or network to fully compromise it.
[...]"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says of the update.
The SMB bug fix was a late addition to Microsoft's March edition of Patch Tuesday - after the security hole was accidentally disclosed by the Cisco Talos research team in a blog post recapping this month's updates: Cisco thought Microsoft had fixed the bug this week as part of March's Patch Tuesday, and alerted the world to the bug's presence to get people to install their updates. In reality, Microsoft hoped to patch the hole later this year, no patch was available, and now everyone knew there was a hole in the compression part of the SMBv3 code.
The revelation sent Microsoft scrambling to post a fix for the flaw just hours after it had emitted updates for 115 other CVE-listed security vulnerabilities.
Designed to allow shared access to files, printers, and hardware ports, SMBv3 is a network protocol included in desktop and server editions of Windows. The bug was particularly nasty as it did not require user interaction and thus could have been exploited by a worm to spread over an entire network.
"Worm". How many here have ever experienced an internet worm? I remember the havoc caused by the original Morris worm when it was released way back on Wednesday, November 2, 1988. We were off the net for at least a full day as our admins tried to figure out what was going on. And even when we got back on-line, things took several days to get back to anything approaching normal.
Not only has the internet grown tremendously over the past 30+ years, the world is now so much more dependent on it.
Also at: Security Week.
Read more of this story at SoylentNews.