An increase in "sniffing" activity on a port associated with a recently-patched Microsoft vulnerability may be the signal of an impending attack attempting to exploit the flaw, according to an alert from analyst firm Gartner.
The flaw in question is a remote code execution vulnerability associated with the Microsoft Windows Server Message Block (SMB) Protocol. It was rated as critical by the company in its June security bulletin, released earlier this month, because attackers who exploit it could take complete control of affected systems, according to Microsoft.
An increase in activity on TCP port 445, which is associated with the SMB protocol, may be a signal that attackers are attempting to exploit the hole, Gartner analyst John Pescatore says in an alert posted on Tuesday.
The activity poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," Pescatore says. The port 445 activity indicates that attackers may have already reverse-engineered the patch, developed exploit code and circulated it on the internet, he says.
Officials at Symantec have also spotted increased activity on port 445, but they downplay any immediate threat.
Alfred Huger, senior director of engineering at Symantec, says his company noted a "significant spike" in activity last Friday. Since then, activity levels have gone back to normal.
"Activity targeting port 455 is very common. It's almost like background noise," Huger says, adding that the spike was probably an attempt by attackers to find systems that were vulnerable to the SMB flaw. "The good news is the vast majority of enterprise don't allow access to this port."
Companies that have installed Microsoft's Windows XP SP2 should also be protected against the flaw because it closes off access to port 445 by default, Huger says.
Pescatore says companies need to accelerate efforts to patch affected systems, implement recommended work-arounds and ensure that access to port 445 is blocked where possible. It is also a good idea to update both network and host-based intrusion prevention filters to deal with the threat, he says.
In an emailed response, a Microsoft spokeswoman says the company is aware of public reports about increased sniffing activity on port 445.
"Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she says.