Hello, welcome to the Friday, February 3rd, 2017 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We got our TCPDump update today from tcdump.org, so if you're relying on that, you can now download TCPDump 4.9 and be no longer vulnerable against these various

heap buffer overflows that were released earlier this week. But to make up for it, we got a new

Saturday and that one hits Windows users. Windows 2012 and later on the server side and Windows 8 and later on the client

side started implementing SMB version 3.

And there is a relatively straightforward buffer overflow in SMB version 3 on these Windows

systems that can be exploited now thanks to a proof of concept exploit.

Now this is at this point just a denial of service vulnerability.

It's not clear if it's also executable.

In order to be vulnerable or to be exploited, a client needs to connect to a malicious

Smb version 3 server.

So the way this could potentially be executed is that you visit a website that includes a link

that links, for example, an image to an SMP version 3 server.

I tested this particular scenario with a static HTML file on the client and yes, the client

rebooted immediately after opening the file. If you get hit by it, you'll see a blue screen of

death. I have a screenshot of the blue screen in the diary so you can compare in case you see one pop up on your system.

But there's also a very experimental preliminary snort signature that I came up with for it.

Not sure how good it is, but you could also try that out if you would like to detect exploit attempts.

At this point, I haven't seen a statement

from Microsoft about this exploit yet, so in case you run across something, let me know.

And if you didn't update to WordPress 472, which was released end of January, because you

...