• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

M.S.08-067: Block T.C.P. Port 139 and 445

Would like to bring Attention to all Users: It is advised, since the M.S.08-067 Patch vulnerability is High-Risk, that Users Block Ports 139 and 445 as soon as possible.  These Ports can be employed to Exploit the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability remotely.

I will Update this Thread if more information becomes available.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

Replies

Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

If your behind a hardware firewall then it doesnt apply.

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Hey Red could you clarify this as it may cause panic?
Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445


mo wrote:
Hey Red could you clarify this as it may cause panic?

See the ThreatCon for more information.  Also, click: Environment > Network Activity Spotlight from the drop-down list.  The N.A.S. changes ever-few-hours depending on what is happening within the Threat Environment.

http://www.symantec.com/business/index.jsp

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Thanks Red

Now I suppose my next question is...these ports on my pc are listed as disabled in my security log >in event viewer is this the same as being blocked???

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

You can go to www.grc.com use Shields Up and do the custom port probe  to test these ports as well.
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

thanks Jimbo40

I have never used these tests before.Are you saying all you have to do is just click on the shields up and this site does it all??By the way where does NIS2009 come in with all this happening??Realistically I could run around like a headless chicken,what are others doing in response to this threat??I would really appreciate some thoughts on this.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445


mo wrote:

Thanks Red

Now I suppose my next question is...these ports on my pc are listed as disabled in my security log >in event viewer is this the same as being blocked???


You're welcome, mo.!

No.  Did you touch your Firewall Settings?  What Norton Product and Version are you using, e.g. Norton Internet Security 2009?

You may want to do this:

01. Update Norton, via Norton LiveUpdate.

02. Do a Full System Scan in Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam).

03. You could double-check by doing this: Download Malwarebytes' Anti-Malware (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html).

04. Install.

05. Update.

06. Run a Full Scan in Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam).

07. Let me know the Result of the Scan(s).

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Shields Up tests your firewall. Its a very good site but remember if your behind a router/modem with a hardware firewall Shields Up will test that first. I can have no security installed and pass Shields Up with flying colors. Mo dont worry about cause your behind a hardware firewall.

 https://www.grc.com/x/ne.dll?bh0bkyd2

Message Edited by Dieselman743 on 10-29-2008 04:38 PM
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Ok Red

I have NIS2009,I already have malwarebytes I use its quick scans at least once a day all clear,No I haven't touched NIS firewall(to unsure)The event viewer is the windows version in XP/SP3.

Thanks Diesel for your assurance.

It might seem silly but I don't want to do things that are unnecessary or knee jerk reactions,I'm new to this game and this would be the first "real" alert I would have faced.There are no signs of anything different on my PC,lost internet yesterday but that was through my ISP upgrading.This is my usual day for doing full system scans so today they will be done in safe mode will let you know when I do them.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Why are you creating unnecessary and harmful panic????????????? And why are you giving the wrong advice?

Users should apply the patch KB958644 given here for the various Windows versions, and then continue using their local network as they did before.

Most likely it has already been applied if they had set their Windows Update to Automatic.

By blocking port 139 you are disabling file and printer sharing in the local network, creating havoc for users who won't understand what is the problem suddenly with their LAN.

I'm really worried about how preposterous some 'advisers' are here.

Windows 7 Ultimate x64 SP1 -- NIS 21
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Thank you Tom.........................
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

ALL USERS IGNORE THIS WARNING. SIMPLY RUN WINDOWS UPDATE IF YOU HAVENT ALREADY.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Hi All

Just checked TomiReds patch and I had all ready recieved it on the 24th oct.So this is sufficent that I am ok and anyone else for that matter who has that patch?.Thanks Tomi

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Hey Mo..............you do not need to run daily scans in safe mode if thats what you do. Safe mode is only for when your infected. Also you only need to run MBAM about once a month or so. NIS 2009 does scans automatically. Quick scans run daily and full scans run about every 7-10 days. No need for such paranoia. Heck I surf p___n and warez all the time and still never been infected.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445


mo wrote:

Hi All

Just checked TomiReds patch and I had all ready recieved it on the 24th oct.So this is sufficent that I am ok and anyone else for that matter who has that patch?.Thanks Tomi


Yes, that patch fixes the vulnerability described in the Microsoft Security Bulletin MS08-067. 

Users can disable NetBIOS if they use Active Directory, but in my experience most home local networks still use NetBIOS and therefore these ports to communicate and share files and folders in the Local Network.

For an attacker to exploit this vulnerability it would also be necessary for him to obtain control over and (ab)use a client in your LAN.

Message Edited by TomiRed on 10-30-2008 01:14 AM
Windows 7 Ultimate x64 SP1 -- NIS 21
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

Hi dieselman

Thanks for the scanning tip,No I don't scan in safe mode all the time,I have patience but not that much .Yeah I fall into the paranoid basket more often than not.but this time I thought I would rather ask the extra questions rather than doing a run here and there attitude,Thanks to you and Tomi and you to Red as you would have made a few people aware of something that they may not have been aware of and checked their updates.Just a personal thing to much info about your surfing habits!if I'm interpreting the sentence right.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

About surfing habits its not personnal. I was merely trying to point out that its not that easy to get infected. Heck if it was I would get infected eveyr day. Just relax Mo. Your too tense.
Real Time Protection = NIS 2009 + NATBehavior Analysis = ThreatfireOn Demand = MBAM
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445

This is the link to download this patch for Windows XP 32 bit (English),

I'm posting it here as most users have this version of Windows.

If you are using another supported version of Windows use the link I provided in post #11.

Windows 7 Ultimate x64 SP1 -- NIS 21
Kudos0

Re: M.S.08-067: Block T.C.P. Port 139 and 445


Since it appears Microsoft released a crital patch for this issue ( KB958644 ) for this issue was released 10/22/08 I'm going to close this thread.

Thanks everyone who particiapted!  There is some great information and links here!

Thanks for the the Microsoft KB Reference TomiRed

This thread is closed from further comment. Please visit the forum to start a new thread.