An unpatched vulnerability in Windows 10 and Windows Server 2019 may enable hackers to develop a self-propagating computer worm that rapidly infects vulnerable machines by jumping from from device to device.

It appears that the bug was accidentally disclosed before Microsoft had a fix ready. Ars Technica reported today that cybersecurity provider Fortinet Inc. and networking giant Cisco Systems Inc. issued public advisories about the issue on Tuesday but soon thereafter took them down.

Microsoft has since confirmed the existence of the vulnerability, posting a guide detailing a temporary workaround that administrators can implement to protect their companies. The workaround description and mistimed advisories offer some insight into the nature of the problem.

It exists in the SMBv3 protocol that Windows systems employ to transfer data to other machines on the same local network. The technology is also widely used for connecting to printers. Hackers can abuse the data compression feature in SMBv3 to send malicious code to a machine and, once they infect it, use the protocol to spread the malicious payload to other devices on the network the same way. 

“The exploitation of this vulnerability opens systems up to a ‘wormable’ attack, which means it would be easy to move from victim to victim,” researchers from Cisco’s Talos cybersecurity unit explained.

So-called wormable vulnerabilities have been discovered in SMB before and their severity varied. The notorious EternalBlue flaw affecting SMBv1, an earlier version of the protocol, led to the WannaCry and NotPetya worms that caused an estimated $10 billion in damage a few years ago. But the more recent BlueKeep flaw has so far been found to have been used in only a limited number of attacks, none of them involving self-propagating worms.

It’s believed that this week’s SMBv3 vulnerability likely won’t pose as big of a threat as EternalBlue. One reason is that the SMBv3 protocol is less widely used than the SMBv1 release which EternalBlue targeted. Another difference is that there’s no ready-made exploit code hackers can use to launch attacks, which should buy the industry time to harden affected systems.

Microsoft’s temporary workaround will allow administrators to reduce the risk of attack while awaiting the patch. The company is advising to disable SMB’s compression feature and block the 445 port the protocol uses to transmit data.   

Photo: Unsplash