Skip to main content

Dangerous Windows flaw could lead to mass worm attack: What you can do [UPDATED]

Computer worms crawling over a circuit board.
(Image credit: wk1003mike/Shutterstock)

UPDATE: Aaaand ... it's fixed, as of March 12. More details below. This story was first published on March 11, 2019.

Just before pushing out yesterday's Patch Tuesday round of fixes, Microsoft accidentally disclosed a new Windows flaw -- and then decided for some reason not to fix it. 

The vulnerability could let malware "worm" its way through corporate computer networks and possibly through the internet as well, similar to the NotPetya and WannaCry worms of 2017. But any exploits of this worm likely wouldn't be as devastating as those two.

The flaw affects only Windows 10 versions 1903 and 1909 and Windows Server 2019. You can check to see if you're running either 1903 or 1909 by going to Settings, then System and then About.

How to (temporarily) protect yourself

Until Microsoft releases a patch for this flaw, your best bet is to manually disable port 445 in the Windows firewall. Here's how. (Make sure you're logged in as an admistrative user.)

  1. Type "firewall" into the search field at the bottom left of the screen. 
  2. When the Windows Defender Firewall window opens, click Advanced settings.
  3. In the resulting Windows Defender Firewall with Advanced Security window, click Inbound Rules in the top left.
  4. Click New Rule over on the top right.
  5. In the resulting New Inbound Rules Wizard window, select Port and click the Next button on the bottom of the window.
  6. In the next window, select TCP and Specific local ports. In the field next to Specific local ports, type 445 and click the Next button.
  7. In the resulting Action window, select Block the connection and click Next.  
  8. In the resulting Profile window, leave Domain, Private and Public all checked and click Next.
  9. Give the new rule a new name, such as "Port 445 Inbound Block" and click Finish.
  10. Click on Outbound Rules in the Windows Defender Firewall with Advanced Security window and repeat steps 4-9. 

The downside of blocking port 445 is that you won't be able to share your connection to a printer or a file with another PC on the same local network.

What's going on here

The flaw has to do with Server Message Block protocol version 3.1.1, aka SMBv3. In a Microsoft security advisory, the software maker deems it a "critical" "remote code execution vulnerability," adding that an "attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client," i.e. computers and servers that use SMBv3.

Security firm Fortinet, which presumably got advance information about Microsoft's Patch Tuesday updates, yesterday described the flaw as "a Buffer Overflow Vulnerability in Microsoft SMB Servers." 

Buffer overflows are fairly routine software flaws that result from programs exceeding their allotted amount of space in a system's running memory. When that happens, the overflow bleeds into memory space allotted for a different program, or into unallotted memory space. The result is that code in the overflowed area can now run code in the first program.

"The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," Fortinet wrote. "A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application."

Cisco's Talos blog, in a summary of Microsoft's Patch Tuesday updates, wrote yesterday that "the exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim." 

The Talog blog post was subsequently taken down and replaced by a new version that didn't mention the SMB flaw.

So should we be running around screaming? Probably not. Rendition Security founder and minor information-security legend Jake Williams, aka MalwareJake, yesterday tweeted that "this IS serious, but it isn't WannaCry 2.0."

"Fewer systems are impacted and there's no readily available exploit code," Williams added. "Hysteria is unwarranted."

UPDATE: Microsoft patches the wormable flaw

On March 12, Microsoft quietly pushed out an update to resolve what it called "a Microsoft Server Message Block 3.1.1 protocol issue" -- i.e., this very serious vulnerability.

If you've got Windows 10 versions 1903 or 1909 and have Windows Update set to download and install security patches automatically, then all you have to do is leave your computer running for a few hours. 

If you've got Windows Update set to wait until you install updates manually, or you're just impatient, then go to Settings --> Update & Security --> Windows Update and click the "Check for updates" button.