We usually don’t report on security flaws, unless they’re on platforms that usually don’t see such flaws, or when the flaw in question is pretty serious. Well, a new zero-day flaw has been discovered in Windows Vista and Windows 7 which will trigger a blue screen of death using the new SMB 2.0 protocol. Update: Windows 7 RTM and Windows Server 2008 R2 are not affected by the flaw. So, this is less of a problem than expected.
For Windows Vista, Microsoft rewrote its Server Message Block protocol, introducing the rewritten variant as version 2.0. This new version came with several improvements, but the most important one is that multiple actions could be grouped into a single request, which reduced the amount of round trips between client and server, improving performance.
An additional benefit – maybe even more important from Microsoft’s perspective – is that SMB 2.0 shed the intellectual property issues which surrounded SMB 1.0. SMB 1.0 was originally designed by IBM, and shipped in non-Windows operating systems as well, such as VMS and OS/2.
This new version, as it turns out, introduces a flaw which enables behaviour which the Windows platform hasn’t seen since 1999: a malformed network negotiation request can trigger a Windows machine to show a blue screen of death. While not confirmed just yet, initial reports indicate that it might also be used to execute code remotely. Microsoft has been made aware of the flaw, but no patch is yet available. The only possible solution is to disable SMB 2.0.
All versions of Windows Vista and Windows 7 are vulnerable; whether you are fully patched or not; whether you run in 32bit or 64 bit; you will be affected. This is of course a pretty bad time for such a flaw to be revealed, this close to the imminent release of Windows 7.
It works just peachy. I ran the python script on my mac and was able to take down my Windows 7 machine quite easily
What, we don’t get to see a screenshot?
*puzzled stare*
http://macdailynews.com/index.php/weblog/comments/22329/
Second image down. :p
…time for it to become known, right BEFORE Windows 7 is released. At least Microsoft now has an opportunity to patch it before it is officially released, and download that patch during the initial setup process…
yeah.. they should of waited till post windows 7… oh well
it doesn’t matter, it’s too late for Microsoft to patch any of this. they’ve already labeled and sent off their build as RTM. that doesn’t stop them from releasing a windows update, which i assume will be pretty fast.
I saw this exploit and went “LOLWUT?”
I tried it on the Group Policy “Windows” guy’s lab systems who work next to me and watched 5 VM’s BSOD.. I ROFL’ED… R . O . F . L ‘ed sir.
Way to go Microsoft… I wonder if Windows 2008 suffers from this also.
I have a sudden urge to go into #microsoft in IRC and start blasting that python script at people
That would likely be ineffective since neither Vista nor 7 allow SMB traffic from public networks by default. This attack would likely be limited to LANs or misconfigured systems.
As a followup, this flaw could provide incentive to avoid (or double-check) leaked/torrented builds as it’s pretty easy to create a modified image that allowed SMB through the firewall by default. A naive user may think their downloaded build has the same security as the official distribution.
Edited 2009-09-09 00:51 UTC
I’m sure this is a great opportunity for people who find happiness in others misfortune. Lets teach those windows users eh?
Although both Vista and Windows 7 may share the same SMB. According to Microsoft Security Response Center:
“Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability”.”
Source:
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security…
—
and did OSnews check if its working on Windows 7 all versions as you say RTM or not? Since even heise security, a security research firm says it had no apparent effect on Windows 7:
http://www.h-online.com/security/Hole-in-Windows-Vista-and-7-allows…
Please check.
So there.
This flaw doesn’t really matter. It’s not a schoolboy programming error. It’s not a ridiculously bad architectural design. The timing is somewhat awkward, but the patch will come through in the first Windows 7 updates, and most businesses won’t switch to Win 7 until Service Pack 1 (or they will stick with XP until kingdom come).
I’m trying this on the test pcs we have at work with win7 RTM and nothing happens. We’ll do some more tests but I guess all these reactions are exaggerated.
An update, I haven’t been able to crash windows 7 machines but I easily crash windows vista with all updates!
Thats a very big problem and I’m happy my org hasn’t fully endorsed windows vista.
Is the article going to be edited? Only Windows 7 RC is effected, not RTM.
It has been edited two hours ago…
Looks like this is basically a non-issue
>> Update: Windows 7 RTM and Windows Server 2008 R2 are not affected by the flaw. So, this is less of a problem than expected.
So it only effects recent MS desktop operating systems which are available to the general public? Thank goodness for that, you had me worried for a moment.
Test your code against RTM and see if it works. I haven’t done so yet. But after seeing the notepad awesomeness and now SMB.. I think that Adobe/CA(Computer Associates) can rest assured that they will never have the most crappy software design.
I leave you guys with some ASM code to test out. This is not a BSOD issue, it’s a Remote Exploit. A hax0r can take over your machine, so it’s a bit more than just making it unavailable.. I smell botnets!!!
http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&t…
What’s this “notepad awesomeness”?
On 7 Notepad does not need UAC elevation (it is elevated by default). So you can inject code into the Notepad process and have it auto elevate (if you are so inclined).
Notepad is not on the auto-elevate list. I just tried opening a file in notepad that I don’t have access to except with an admin token, and it failed (there was no auto-elevation). Do you happen to know what I have to do to cause Notepad to auto-elevate?
… or at least my MSDN install appears to be immune. I just tested it locally against build 7100, and sure enough it shuts it down…
So beta bad, RTM ok… so at this point the only people at risk are vista users – big deal.