Windows 10 vulnerable to dangerous 'worm' attack — DHS urges you to patch your PC ASAP

News
By published

SMBGhost flaw from March has been weaponized

Windows 10
(Image credit: yougoigo/Shutterstock)

If you haven't patched your Windows systems since March 10, better do so now, warns the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.

That's because new proof-of-concept code was released last week that exploits a flaw -- known as SMBGhost or, um, Eternal Darkness -- in the Server Message Block (SMB) protocol that Microsoft patched March 12, two days after its regular March Patch Tuesday round. 

The flaw affects Windows 10 builds 1903 and 1909, but older or newer versions of Windows 10 are not vulnerable. A truly successful exploit of SMBGhost would create an unrestricted "worm" that could spread through the internet on its own, similar to the WannaCry ransomware worm of 2017.

"Malicious cyber actors are targeting unpatched systems with the new PoC [proof-of-concept], according to recent open-source reports," the CISA advisory, released June 5, warns. "CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible."

This isn't the first proof-of-concept to exploit the SMBGhost flaw, and it doesn't even work that well yet. But it permits fairly consistent remote code execution, i.e., hacking over the internet, which puts it one step closer to a worldwide worm. 

"This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable," wrote the proof-of-concept's developer, who calls herself Chompie, in a GitHub posting. "Using this for any purpose other than self-education is an extremely bad idea. Your computer will burst in flames. Puppies will die."

Chompie provided a video demonstrating the exploit, in which a Mac uses it to hack a PC.

Will Dormann, a vulnerability analyst at the Pentagon-funded CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said that Chompie's exploit code was "not completely reliable, but ... does indeed work!"

The very fact that even partly working network-jumping exploits of SMBGhost are out there -- and that bad guys may be using it, per CISA -- means that any Windows 10 1903 or 1909 build that hasn't installed the March patch is vulnerable to attack from the internet.

The solution, obviously, is to install the stand-alone patch that Microsoft issued March 12. You could also just upgrade to Windows 10 build 2004, which is being rolled out to PCs now. And, if you can, set your firewall to externally block port 445. (We've got instructions here.)

In theory, you ought to install all Microsoft security patches as soon as they are issued. But that often creates its own set of problems, especially for enterprises with dozens or hundreds of PCs being patched at once.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.