Microsoft won’t patch 20 yr old SMBv1 vulnerability (you should just turn the service off)

Laurent Giret

Following the recent WannaCry and Petya ransomware attacks, Microsoft recommended all Windows 10 users to remove the unused but vulnerable SMBv1 file sharing protocol from their PCs. This is because both variants of the ransomware actually used the same SMBv1 exploit to replicate through network systems, even though it seems that Petya mostly affected Windows PCs in Ukraine.

Anyway, if you didn’t turn off the protocol on the PC already, you really should: Not only because new WannaCry/Petya variants could once again use the same vulnerability again to encrypt your files, but because another 20-year-old flaw has just been unveiled during the recent DEF CON hacker conference (via Security Affairs).

The SMB security flaw called “SMBLoris” was discovered by security researchers at RiskSense, who explained that it can lead to DoS attacks affecting every version of the SMB protocol and all versions of Windows since Windows 2000. More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.

RiskSense discovered the SMB vulnerability when analyzing EternalBlue, the leaked SMB exploit that is the source of the recent ransomware attacks. They disclosed the security flaw to Microsoft in June, but the company said that it won’t fix it. “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

Microsoft is planning to entirely remove the SMBv1 protocol in the Windows 10 Fall Creators Update, so it may be not be as bad as it seems. However, everyone still running older versions of Windows will remain affected by the issue, that’s why it’s strongly recommended to simply disable the SMBv1 protocol. To do so, we invite you to check some detailed instructions on our previous post about it.