Windows 7 Reintroduces Remote BSoD

David Gerard writes "Remember the good old days of the 1990s, when you could teardrop attack any Windows user who'd annoyed you and bluescreen them? Microsoft reintroduces this popular feature in Windows 7, courtesy the rewritten TCP/IP and SMB2 stacks. Well done, guys! Another one for the Windows 7 Drinking Game."

Local?

[MindStalker]

If it relies on a SMB2 request it is most likely restricted form request inside the LAN.
Either way, still bad.

Re:Local?

[fuzzyfuzzyfungus]

Especially unpleasant given that SMB2 is pretty common on important shared resources. Like fileservers.

Crashing clients is bad, any client on the LAN being able to take down the fileserver is substantially worse.

Re:Local?

[afidel]

Actually the headline is very misleading and that's bad. This affects SMB2 which is in Vista and Server 2008 as well, that means every Server 2008 system is likely vulnerable to a LAN based DoS attack.

Re:Local?

[Sethb]

Uh, by default on modern incarnations of Windows, accounts without passwords are *not* allowed to log in remotely. So, they're extremely difficult to access remotely.

Re:Local?

[ShieldW0lf]

Trust in computer disciplines doesn't have anything to do with something being trustworthy. Trust is an expression that you have left yourself vulnerable, and are trusting that you won't be exploited. How you feel about leaving yourself vulnerable is irrelevant. The probability that you will be exploited is also irrelevant.

That's what Trusted Computing is all about... it's not that your computer is more secure... it's that your computer is less secure, and you are trusting third parties not to screw you instead of securing yourself against them.

Re:Local?

[Idaho]

generally speaking you're not expecting attacks from inside your LAN. As Windows vulnerabilities go, this isn't horrible in a practical sense.

Really? That may be true in small(ish) companies, say less than 50 employees. In general, many security experts beg to differ, however.

Some select quotes:

"In 92 percent of the incidents [re. inside attacks] investigated, revenge was the primary motivator."

Common attacks:

Manipulation of Protocol Design Flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, for example DNS spoofing, TCP sequence, hijacked sessions and authentication session / transaction replay, denial of service and TCP_SYN flooding.

Manipulation of Operating System Design Flaws: We all know the drill. Operating systems, such as Windows and Linux, have not been designed to be highly secure. Privileged users in particular have easy access to information regarding which vulnerabilities exist and which vulnerabilities have been patched. With the ability to read and administrative access, privileged users can manipulate these design flaws and exercise native vulnerabilities.

I work at a university where several years ago a server administrator purposefully set fire to an entire building (out of spite for getting fired, allegedly). By comparison, bluescreening the computers in your company out of revenge is childs play, and if you do it right, it should be very hard to detect where it originated. People do strange things out of spite - although setting buildings on fire is fortunately rare, I doubt the same can be said about such "trivial" DOS possibilities.

Re:Local?

[phoenix321]

Second that big time.

The belief that a cloud of several thousand clients can ever be held secure is almost obscene. IT departments that concentrate most heavily on defending the outer border of their network, placing more than only a slight hint of trust in their "owned" client hardware are hopefully becoming rare.

Several thousand notebooks, travelling along the employees all around the world, through a hundred massive wifi-zones, hotel LANs, airports etc., should not be trusted higher than the machine Joe Random Employee brought from home. The official corporate notebook may have all the branding, settings, applications and whatnot, but that can at best make it a decently hardened PC, not bullet proof.

Many organisations really concentrate on the border, falling to the illusion of control: "we control the machine, the user / employee has no admin rights so all machines that go along on a business trip come back in perfect shape and without ever acquiring a drive-by rootkit somwhere"

In reality, most breaches are done, or facilitated, or unknowingly supported by people inside the organisation. Disgruntled employees are surely the worst enemy - and guaranteed to be numerous in any multinational company under the current economy. But it can also be frequent-fliers, hard-working staff that take their laptops everywhere and try to work all the time, connecting to a hundred different wifi-APs per year. Trusting a machine means physical control over everything. Trusting machines that commute and travel daily along with their employees is batshit crazy - but most IT departments still pretend they don't see that.

Re:Local?

[Mathiasdm]

Yes, it affects Vista (just tested it here). The example exploit contains a bug though. You need to add an import line 'from socket import socket'.

The difference is...

[Xest]

...half the world is behind a NAT setup now, and the other half has Windows firewall enabled. Windows update exists now so people will be able to patch quickly and easily when a patch arrives.

Realistically this isn't going to effect many people like the old exploit did.

Still, it's quite comical, maybe this is Microsoft's take on the saying "The old ones are the best". So much for their secure development practices, there's really no excuse for them not picking this one up before release.

Not consistent

[james_a_craig]

Having actually tried this on three windows 7 machines now, it doesn't seem to work on every machine. (Actually, it's yet to work on any here, although I hear tell that it does work on some). There's something more to this than just "that data crashes it every time".

Re:Not consistent

[afidel]

Try it against a Server 2008 lab server with file shares, I'll bet that it will BSOD.

IP Reasons for SMB2

[eldavojohn]

they don't like introducing "new" things

A slight correction, they like to introduce new things when it suits them. Why the rewrite of SMB into SMB2? Well, it has some technological advantages you would expect but according to Wikipedia:

SMB 2 has two big benefits to Microsoft. The first is clear intellectual property ownership. SMB 1 was originally designed by IBM and was shipped on a wide variety of non-Windows operating systems such as SCO Xenix, OS/2 and DEC VMS (Pathworks). It was partially standardised by X/Open and also had draft standards for IETF which lapsed. (See http://ubiqx.org/cifs/Intro.html for historical detail).

The second benefit is a clean break. Microsoft's SMB1 code has to work with a huge variety of SMB clients and servers. A large number of items in the protocol are optional (such as short and long filenames), there are many infolevels for commands (selecting what structure is returned to a particular request), Unicode was a later addition etc. With SMB2 there is significantly reduced compatibility testing (currently only other Windows Vista clients and servers). Additionally the code is a lot less complex since there is far less variability (e.g. there is no need to worry about having Unicode and non-Unicode code paths as SMB2 requires Unicode support).

So you can see they like to introduce new things when it means they have clear intellectual property ownership rights over it and also a lot less work for them. They also don't have to be backwards compatible with their own products.

While SAMBA 4.0 has experimental support for SMB2 interfacing, I'm guessing the "clear intellectual property" could spell trouble moving forward for Tridgell and the SAMBA team.

I'll be suprised if this affects anyone.

[jim_v2000]

IT departments are going to keep everything patched, and individuals aren't going to do it to themselves on their LANS. Between firewalls and NATs, it's not going to happen over the internet. Really, the only situation that I can imagine this happening is perhaps on a university network.

Re:I'll be suprised if this affects anyone.

[rabbit994]

When Windows 7 pops up and asks you what type of network is this and you say "Public", guess what gets firewalled off? I've tried this on my Windows 7 lab computers. If you mark the network as public or disabled file sharing (which is default), Windows firewall will stop this one cold. While this is pretty big "oops", in the real world, it's pretty minor and should be patched before "unwashed masses" get ahold of Windows 7.

Question I have, was Microsoft notified about the problem before this disclosure or was someone trying to build up "street cred" by disclosing early?

"RE"-introducing?

[WED+Fan]

The article makes it seem like it hasn't been in Windows since Windows NT and that Windows 7 is the first time it's reappeared. Seriously, Vista has it.

Is this a case of "It's after midnight, must post another slam on Microsoft, even if we have twist and stretch like taffy to make the case"?

It wouldn't be so bad but the body of the submission is incredibly slanted, almost more than some of the replies.

Re:"RE"-introducing?

[node+3]

Yes, it's such an "entirely new operating system" that is has the same bugs.

MS astroturfers are so busy these days. If you put down a bug in Windows 7, responses that say, "hey, don't pick on MS, it was in Vista too!" get upmodded, and then if you say, "well, 7 is an update to Vista", responses rebutting it get upmodded.

Windows kinda sucks. Vista was pretty awful, 7 is better, and is really what Vista *should* have been (and it is completely based on Vista, modding this fact down doesn't make it untrue).

Mac OS X and Linux both have their flaws, but ignoring apps and computers they support and just looking at the systems themselves, Windows really is the worst of the lot. Throw in games and apps and ubiquitous inexpensive PCs, and Windows is a contender, but it's *not* because Windows itself is all that great.

I've got karma to burn

[mcmonkey]

Speaking of going back to the '90s...

Why is /. using frames?

Oh, I'm sure on the back end it's some web 2.0 dynamic XCSS crap, but on the front end, it looks like a frame, it walks like a frame, it quacks like a frame.

It's a frame.

In firefox 3, I go to slashdot.org. Then I click a link to the IT section. Browser address bar still reads "slashdot.org" (no IT.)

I click a story link, then click the back button.

The browser goes back to slashdot.org, not it.slashdot.org.

Seriously, WTF?

Re:I knew Windows 7 was too good to be true

[Dr_Barnowl]

Supposedly, attempting to create something perfect would be an affront to Allah, who is the only being who is perfect and who can create perfection.

Then surely the deliberate introduction of such flaws is the height of arrogance? They are assuming that they could have attained perfection, whereas even a rug that would be perfect to the human eye, is obviously little better than a puke-stained rag in the sight of Allah. He is truly merciful not to smite them most smite-ily for their presumption that they could even comprehend the nature of rug-perfection, let alone attain it!