Sapsiwai - Fotolia

Stopping EternalBlue: Can the next Windows 10 update help?

The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update.

I use Windows 10 for business purposes, and the NSA's EternalBlue exploit has been ported to the OS. What can users...

do to prevent EternalBlue from affecting Windows 10?

In September 2017, Microsoft will release the Windows 10 Redstone 3 update, and Server Message Block version 1 (SMBv1) will be officially kicked out. EternalBlue will be prevented from exploiting a vulnerability (CVE-2017-0144), and all files in Windows 10 and Office 365 will be protected from malicious remote execution.

Many Windows users didn't install patches for previous Windows versions that are currently supported by Microsoft. They became victims of the WannaCry ransomware that made use of EternalBlue. Impacted files were shared between Windows clients and servers through the vulnerable protocol.

Researchers at RiskSense showed how EternalBlue could help an attacker launch a remote execution attack. They used its DoublePulsar backdoor payload and the NSA's Fuzzbunch platform, which is similar to Metasploit, to port the EternalBlue exploit to Windows 10 x64 version 1511, codenamed Redstone 2.

While organizations wait for Redstone 3's release, they can apply guidance found in Microsoft Security Bulletin MS17-010. SMBv1 can easily be disabled by clearing the SMB1.0/CIFS File Sharing Support checkbox in the Control Panel in Windows 8.1 or later. Organizations can use similar methods for Windows Server 2012 R2 and later.

Redstone 3 will save organizations the headache of making laborious manual changes in the thousands of Windows PCs and servers they oversee domestically or internationally.

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008. The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. All three SMB versions are available in non-Microsoft operating systems that would enable connection with Windows 10.

Microsoft doesn't recommend disabling SMBv2 or SMBv3 for Windows client and server operating systems. Disabling SMBv3 will deactivate encryption that provides protection from eavesdropping on untrustworthy networks. Organizations should proceed with caution when disabling either protocol as a temporary troubleshooting measure.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn about the similarities between EternalBlue and a Samba vulnerability

Find out more about the clash between Microsoft and the NSA over EternalBlue and WannaCry

Discover whether the WannaCry decryptor could work on other ransomware strains

This was last published in August 2017

Dig Deeper on Application and platform security