RSSMicrosoft: SMB 2.0 hole does affect Vista, not Windows 7
By Scott M. Fulton, III | Published September 9, 2009, 10:46 AM
A security advisory issued by Microsoft late yesterday takes to task a security consultant for a British ISP who apparently, and possibly even accidentally, discovered a way that the Server Message Block 2.0 driver can trigger an instant Windows crash. Rather than report the incident directly to Microsoft, Laurent Gaffié went public with his findings first, in such a way that appears to have triggered the enthusiasm of the black-hat side of the security community.
"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," reads yesterday's Security Advisory 975497. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
The problem appears to be this: Should the SMB 2.0 driver in Windows Vista and Windows Server 2008 receive a message header whose contents may have been shifted by one character, such that an ampersand (&) that belongs elsewhere ends up instead in the high word of the Process ID field, the driver may crash and take the operating system down with it. Yesterday, Microsoft acknowledged that this issue affects 32- and 64-bit versions of Windows Vista and Windows Server 2008, with or without all service packs installed.
But all versions of Windows 7 and Windows Server 2008 R2, both of which have just released to manufacturing, are explicitly included in the "Non-Affected Software" category, verifying independent security researchers' findings that the newest kernels and the latest drivers for those kernels apparently do filter out the shifted &. Gaffié's original report, based on snapshots we saw carried on other blogs, only mentioned Vista as the affected OS, and only speculated on Windows Server 2008. In later versions of that same report, someone -- perhaps not Gaffié -- added a "7" in the affected OS list, leading many blogs to trumpet their news that a pre-release Windows 7 hole had been found. At least one blog went on to speculate that the "discovery" would force Microsoft to suspend Win7's October 22 general availability release date.
Evidence from the real world, however, suggests this will not happen.
As temporary workarounds until Microsoft can assemble a patch for the fault, the company suggests that administrators either effectively uninstall SMB 2.0, by way of a System Registry patch that replaces the "on" setting for the driver with a zero; or setting their firewalls to block incoming traffic from TCP ports 139 and 445. Non-administrators or non-expert users of Vista are advised to set their network profiles to Public, which is a catch-all setting that blocks all unsolicited inbound packets, including from these two ports.
But all versions of Windows 7 and Windows Server 2008 R2, both of which have just released to manufacturing, are explicitly included in the "Non-Affected Software" category...
Of note: according to the Microsoft article (in the FAQs section), Windows 7 RC1 is affected.
Score: 0
|is the release candidate the current version? nope
Score: 1
|He never said it wasn't. He just said it was "of note". Presumably because RC1 is still in a great deal of use since RTM isn't widely available yet. :)
Score: 0
|Ahh, how cute. Windows 7 not afected, but Vista is...
Maybe you have not enough reasons to upgrade as soon as possible? There you go... The last coincidence should be around October, if a worm using the vulnerability appears in the wild, and Bingo! You should update ASAP, very convenient vulnerability...
Score: -4
|By that logic EVERYONE should have upgraded from XP to Vista, "or else"™.
There were hundreds, if not thousands. of patches and two service packs produced by Microsoft to "trick" people into upgrading to Vista. How convenient. Of course, UNIX, Linux, OSX, etc. Are all on version 1.0 of their operation systems because they are so perfect they don't need patches and/or aren't trying to fleece their customers. But if they did need to patch something, I'm sure they wouldn't release any just before they came out with a new version. Of course, that will never happen because they are perfect and version 1.0 is all there will ever be.
Score: 0
|All of our Firewalls should be enabled by Default, here we see the whole purpose of Firewall ;) and btw, using your Advanced Firewall settings under Vista or 7 is a good thing to learn, its actually a pretty robust wall.
i had to double check yesterday to see if there was even a possibility i was affected, i wasn't... a real good fix is uninstalling network features Client for Microsoft Networks and Fire and Printer Sharing, both of which i've never used at all, not even when i used XP
Microsoft sure adds tons of functionality into Vista and 7, often its more functionality than needs to be enabled by default lol
so yeah, Firewall, uninstall those two features, you're set... the latter isn't really necessary if you've kept your Firewall the default and you're not OCD like myself
curious though, how many ports do you all leave open on your systems? http://is.gd/34TMN 8 on my own, double that if you include IPv6 ;P
Score: 3
|Sure, but your Vista firewall shouldn't be set as Public by default unless you're using it on the go. Most people are connected to a home network these days and thus they would be using the 'Home' profile in their firewall to permit file-sharing. Advising those users to switch to the 'Public' profile is going to have them asking why the can't share files and print across their network. :p
That said, I have no idea if this vulnerability is exploitable across the NAT routers used in most homes, and/or the ones equipped with SPI firewalls. Seems unlikely...
Score: 1
|