RSSVista SMB 2.0 exploitable hole points to need for new filters
By Scott M. Fulton, III | Published September 8, 2009, 6:15 PM
Nearly two years ago, I proclaimed Microsoft's adoption of Server Message Block version 2 the #6 of ten best new features of Windows Server 2008. Essentially, it provides a way for servers utilizing the Common Internet File System to utilize modern filing tools such as symbolic links and transaction batches, to expedite the process of sending large files over the Internet.
It has taken this long for anyone to find what was described earlier today as a glaring hole in Windows SMB 2.0 security, but it's an embarrassing little hole nonetheless: A security researcher discovered that if you get the order of the words in the SMB 2.0 message headers wrong, in such a way that you end up sending an ampersand (&), where a zero should be in the high word of the Process ID field, then you can end up sending a message block that could literally crash the remote recipient. Conceivably, an exploit could be crafted that could remotely crash a Vista-based client.
The "in-security community," which no longer relies upon its own means to develop exploits but instead now waits for real researchers to do the job for them, pounced on the proof of concept after it was independently published by Laurent GaffiƩ, a security consultant for UK-based Byethost Hosting. But although GaffiƩ's comments clearly show the proof-of-concept was tested on Windows Vista SP2, the usual suspects proffered their story of the PoC as a "Windows 7 exploit," or at least, one in the making. At some point, apparently, a "/7" was added to the list of operating systems affected, even though there is no such thing yet as "Windows 7 SP1."
Meanwhile, Germany-based Heise Security tested the PoC, and while its team validated its impact on Vista, "the exploit had no apparent effect on a computer running Windows 7."
Heise's report today suggested that about the only way for Vista-based clients to protect themselves against a possible exploit would be to use their firewalls to close port 445. Veteran security researchers are already familiar with port 445, and have recommended that clients keep that port closed anyway.
I'm quite surprised with the recommendation, close the ports, don't Microsoft realize that most of there user base don't have a clue what "Ports" mean, and ergo, telling them to close them is pointless,
I'm shocked that Microsoft spokesman would undermine there casual user like that, personally i take that as a direct insult, after all, most people that use windows don't even know what "Firewall" means,
I'm disgusted how Microsoft "PR" as dealt with the situation,
we can only hope they get a proper fix out soon, because at lease 50% of VISTA users won't be closing there ports, because like i said before, most users don't know what that means.
Score: -1
|That was very dramatic.
Of course, you do realize that those same folks that don't know what "ports" means have the firewall set to it's defaults and haven't enabled file-sharing, right? By your definition, they wouldn't know how to/
Kinda makes your whole dramatic rant pointless, don't it?
Score: 1
|"That was very dramatic." too you perhaps,
but the fact is, releasing a statement telling there customers that they should do this, and all will be fine, in my opinion is outrageous, they should release a urgent hotfix on windows updates,
and fix the problem from there end,
"Of course, you do realize that those same folks that don't know what "ports" means have the firewall set to it's defaults and haven't enabled file-sharing, right?"
very presumptuous of you to assume there firewalls are set-up to default setting. what statistics do you have to assume such a thing, further more how do you know that most users have firewalls turned on. my point exactly, we don't know, and neither does MS, which is why Microsoft has dropped the ball on this one, they should tell there customers they will release a hotfix ASAP. would of gone down a lot better, rather then assuming people understand ports, and what not,
and for the record, even by today standards, firewall software is still horrible to use for the general user, they tend to be very buggy, resource hungry, and too complicated for the average Joe, so what do most users do, they uninstall it, how do i know this, well lets say i fixed a few machines, and drawn up mu own conclusion. lol
Score: -1
|Will not work if file-sharing is turned off (Default) or if the Windows Firewall is active (default).
Score: 1
|yup, not to mention alot of people prob don't even need the service running, like me ;)
http://is.gd/34TMN
Score: 0
|Windows 7 RTM and Server 2008 R2 are not affected :)
Score: 1
|Source: http://news.cnet.com/8301-13860_3-10347289-56.html
Score: 0
|isn't Vistas Firewall enabled and blocking incoming connections by default? problem solved!
wouldn't hurt to configure advanced firewall to block both incoming and outgoing connections manually, its more fun...
445 Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
guess i'm good? ;P
just curious, does anyone know of any sites besides grc and the like that test your systems security against outside threats etc, grc is pretty old ;P
Score: 1
|http://www.networkworld.....html?fsrc=netflash-rss
Also interesting...
Score: 0
|too bad so sad, i somehow don't get the feeling Microsoft cares about Windows 2000 Server and its 0.3% userbase anymore *tear ;)
Score: -1
|Too bad so sad for customers that expected support from a company and found it abandoned. It brings up some questions:
What would MSFT have done if this had been discovered in 2002?
What if a similar situation happened with Windows 2008 R2?
What does this say about Microsoft claimed support policies? That it can break them as it sees fit?
I don't know what percentage market share Server 2000 remains anymore, but I do know that several U.S. banks still have significant use of this operating system on server and desktop.
Score: 0
|'All Windows 2000 support including new security updates and security-related hotfixes will be terminated on July 13, 2010'
component/non trivial fixes are done on a paid-per incident event ;) which is why i guess they want affected folks to call them, 2000 entered extended support in 2005, so long Windows 2000
i think Microsoft lived up to its end of the deal with that OS
Score: 1
|Sure, if breaking your own support policy guidelines is living up to your end of the deal, then Microsoft passed, (again,) with flying colors.
It simply gives pause to consider Microsoft doesn't stand by what they say in regards to support. No more, no less.
Score: 0
|this would be a 'core component' update for 2000, not exactly covered by extended support, support which runs out in under a year entirely ;P
if companies are still using 2000, thats their own problem, support cycle is there for all to see for the last how many years?
Score: 2
|What do you expect when using super expensive proprietary software from Microsoft? If those banks were smart, they would get rid of the proprietary Microsoft software and use GNU/Linux.
Score: -4
|We're still running 2000 on a couple of our servers, but are planning to replace one of them early next year, and upgrade the other later this year.
Score: -1
|