ARCHIVE
ID Number: G00129313



This research is provided for historical perspective;
portions of this document may not reflect current conditions.





More Port 445 Activity Could Mean Security Trouble
21 June 2005
 
John Pescatore  

An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability. Take immediate steps to ensure that the affected Windows port is secure.











Contact Gartner






Download Document:

PDF
more_port_445_a...pdf (84.4KB)

Help with Downloads



News Analysis

Event

On 17 June 2005, media reports indicated that security vulnerability sensors have noted an increase in activity on TCP Port 445, which is associated with Microsoft Windows' Server Message Block (SMB) Protocol. This port could potentially be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-27), a critical flaw for which Microsoft released a patch on 14 June.

Return to Top

Analysis

The apparent increase in scanning on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack. Such attacks typically follow a highly predictable timeline:

1. A security vulnerability is identified and a patch is released.

2. Attackers use the patch to reverse-engineer the vulnerability.

3. Exploit code is developed and circulated on the Internet.

4. Attackers scan to find vulnerable systems.

5. A mass attack is launched.

The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol.

Recommendations:

  • Accelerate your efforts to ensure that all Windows systems are patched.
  • Implement shielding or other "workarounds" until patching is complete.
  • Immediately review all firewall policies (including those covering personal firewall software) to ensure that Port 445 access is blocked wherever possible.
  • Update all intrusion prevention system filters (both network- and host-based) to block attempts to exploit this vulnerability.

Analytical Source: John Pescatore, Gartner Research

Recommended Reading and Related Research

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

Return to Top



© 2005 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The conclusions, projections and recommendations represent Gartner's initial analysis. As a result, our positions are subject to refinements or major changes as Gartner analysts gather more information and perform further analysis. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.




Resource Id: 481906