More Port 445 Activity Could Mean Security Trouble

G00129313

Analyst(s):

  Free preview of Gartner research

Summary

An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability. Take immediate steps to ensure that the affected Windows port is secure.

News Analysis

Event

On 17 June 2005, media reports indicated that security vulnerability sensors have noted an increase in activity on TCP Port 445, which is associated with Microsoft Windows' Server Message Block (SMB) Protocol. This port could potentially be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-27), a critical flaw for which Microsoft released a patch on 14 June.

Analysis

The apparent increase in scanning on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack. Such attacks typically follow a highly predictable timeline:

1. A security vulnerability is identified and a patch is released.

2. Attackers use the patch to reverse-engineer the vulnerability.

3. Exploit code is developed and circulated on the Internet.

4. Attackers scan to find vulnerable systems.

5. A mass attack is launched.

The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol.

Recommendations:

  • Accelerate your efforts to ensure that all Windows systems are patched.

  • Implement shielding or other "workarounds" until patching is complete.

  • Immediately review all firewall policies (including those covering personal firewall software) to ensure that Port 445 access is blocked wherever possible.

  • Update all intrusion prevention system filters (both network- and host-based) to block attempts to exploit this vulnerability.

Analytical Source: John Pescatore, Gartner Research

Recommended Reading and Related Research

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

© 2005 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online

  Research

More  

  Webinars

More  

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more