Urgent Security Patch for Windows PCs

Urgent Security Patch for Windows PCs

September 12, 2002

Christopher Rice

Any unpatched WinNT/2K/XP or .NET machine on your network that's listening on port 139 and/or 445 can be crashed in about two seconds with a malformed SMB packet.

Server Message Block (SMB) is the protocol that Microsoft uses to share files, printers, and serial ports. SMB is also used to communicate between computers by using named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources, and servers make SMB responses in what is described as a client server, request-response protocol.

By sending a specially-crafted packet request, an attacker can mount a denial-of-service attack on the target server computer. This may cause your computer to stop responding (hang). The attacker could use both a user account and anonymous access to accomplish this. Though not confirmed, it may be possible for the attacker to then start arbitrary code.

It was bad enough in theory, but now a script-kiddie friendly GUI version of the exploit has been posted on PacketStorm, and it works against all of the above. We worked through the weekend to get a large percentage of our boxes patched -- you may have to do the same. You can try for yourself at:


[Editor's note] The fact that this vulnerability is out there, and that someone has created a GUI to exploit it that can sit on a desktop as an icon makes it really dangerous.

The patch and the MSFT article can be found here:



Let me know if you know any other holes or security leaks like this one.