This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature will detect attempts to exploit a Denial of Service Vulnerability in Microsoft Windows Vista.
Server Message Block 2 (SMB2) is a newer version of the SMB protocol. SMB2 was introduced in Microsoft Windows Vista.
Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the SMB Negotiate Protocol Request. This issue affects the '_Smb2ValidateProviderCallback()' function in the 'srv2.sys' driver. Specifically, the software fails to sufficiently validate the 'Process ID High' header field contained in an SMB2 request before using it to construct a pointer into a function table.
NOTE: Reportedly, for this issue to be exploitable, file sharing must be enabled.
An attacker can exploit this issue to execute code with SYSTEM-level privileges; failed exploit attempts will likely cause denial-of-service conditions.
Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may also be affected.
NOTE: Reportedly, Windows XP and 2000 are not affected.
UPDATE (September 9, 2009): Symantec has confirmed the issue on Windows Vista SP1 and Windows Server 2008.
- Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may also be affected.
The vendor released an update to address this issue. Please see the references for more information.