The First Windows 7 Zero-Day Exploit

xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."

OMG what if my computer doesnt have a white button

What are my options? New computer?

How is this zero-day?

[DNS-and-BIND]

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday

OK the exploit is almost a week old already. How is this "zero-day"? In the immortal words of Inigo Montoya: "You keep using that word. I do not think it means what you think it means."

Re:How is this zero-day?

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday

OK the exploit is almost a week old already. How is this "zero-day"? In the immortal words of Inigo Montoya: "You keep using that word. I do not think it means what you think it means."

Dude, fucking semantics. Who cares? It's not like it's years old or anything. Chill out.

Re:How is this zero-day?

[Yvanhoe]

In my book "zero-day" means that the vulnerability and the first practical exploit were released the same day. "Zero-day" refers to the time the dev team had to correct the bug.

Re:How is this zero-day?

[Ed+Avis]

'When I use a word,' Humpty Dumpty said, in rather a scornful tone, 'it means just what I choose it to mean -- neither more nor less.'

Re:How is this zero-day?

[PCM2]

Replying to undo an accidental moderation that didn't deserve it.

Agreed that "zero day" has almost no meaning these days. Pretty bizarre when companies actually brag about their "zero day exploits" and promise a fix... several days from now?

Re:How is this zero-day?

A zero day exploit is an exploit that exists before the developers of the application are aware of the bug/flaw being exploited. It does not seem unreasonable to keep refering to it as a zero day exploit even after the details of the bug and exploit have been published, how else would you refer to it, e.g. "the exploit formerly known as zero day";

Re:How is this zero-day?

[ozmanjusri]

Who cares? It's not like it's years old or anything. Chill out.

Exactly.

It's not as though Windows exploits are a scarce event. There'll be plenty more where that came from, so you can be semantically correct next time.

Re:How is this zero-day?

[DMiax]

Nope! It's the number of days between the release date and today.

I find little use in a definition that depends on today's date. Especially because I can read articles from saturday and they will call it 3-day, which gives me no information.

A zero-day exploit is one that is created before a fix is available. It is more severe than others because no version of the target software is safe, even if it is constantly updated. Any security expert knows the implications of this, and how to take it into account when assessing the risks.

Re:How is this zero-day?

+1 insightful or +1 funny? I cannot decide, someone mod him instead.

Re:How is this zero-day?

Perhaps you can explain how a fix is created before the exploit is released?

We're talking about exploits in the wild. If the developers or security researchers discover the bug and patch it before any malicious third party does, there you go. This is very frequently the case, which is why you see so many stories about exploits being crafted by reverse-engineering vendor patches.

If you're going to be a little sarcastic douchebag, at least be right about something.

Re:How is this zero-day?

[DMiax]

Simple: malware writer downloads the patch for $SOFTWARE, reverse-engineers it, understands the bug and creates the malware. If he is fast, there is still a large number of vulnerable machines around that it is worth it, and is a much cheaper than finding the bug, which generally involves having an illegal peek at the code or very good intuition.

And BTW your repeated references to the movie are not making you look a geek, more like a wannabe that does not know the first thing.

Re:How is this zero-day?

[randomsearch]

Great quote.

Can we apply this to "cloud" next? Having seen someone try to explain the difference between "cloud", "grid" and "cluster" the other day I think Inigo Montoya would agree.

Re:How is this zero-day?

[Jared555]

PS how, exactly, would a malicious third party patch a bug? If you can't tell me for security reasons it's OK, I trust you. You're a security professional!

Is this part of the trolling or are you also trying to be a grammar nazi here? I assume he meant.... "If the developers or security researchers discover the bug and patch it before any malicious third party discovers it [and exploits it]"

Re:How is this zero-day?

[DMiax]

Better than the OP's definition, but not correct. Zero-day means that at the time of the exploit no machine can have the fix already installed. They are different from the reverse-engineered bugs which are ineffective against properly updated software (i.e. when the admin does not suck).

Re:How is this zero-day?

[NotBornYesterday]

Take your stinking paws off my lawn, you damned dirty ape!

Re:How is this zero-day?

[MBGMorden]

You're just being idiotic now.

Here's an easy, plain vanilla example for you to understand:

Firefox releases Firefox 4.0. In the patchnotes they say "- Found and fixed a bug allowing a website to catch your computer on fire.".

Some anxious teenager reads that and says "Holy shit! I bet a lot of people haven't upgraded yet. I'm off to craft up an exploit . . .". A week later he has it ready.

Millions of computers smolder in ruin. Most importantly though, the fix was available BEFORE the exploit was, and therefore it was not 0-day. End of story.

Re:How is this zero-day?

[chrisG23]

There is not a mod category for "I believe you are incorrect, but we are arguing definitions that have not been standardized".

To my understanding, and I actually work in the computer security field, a zero-day exploit is one in which the target currently does not have a patch. So a zero-day exploit can last for one day (if the security hole is fixed and a patch released that same day) or many months. This currently is a zero-day because there is no way to fix this. This seems to be the universal agreement between people actually working in the computer security field.

Like all security exploits, this one only works if the attacker can get to the potential victim. From the summary it appears that this would only work over the SMB ports, so an attacker would either need to find a improperly configured firewall that was passing this traffic from the cloud into the intranet, or would need to have first exploited a machine inside the intranet. It limits the possibilities for attack, but that has nothing to do with it being a zero-day or not. If you can attack a system and there is no way at present to patch the vulnerability, then it is a zero-day exploit. That is my understanding. Obviously there is disagreement on the meaning.

Re:How is this zero-day?

[nschubach]

So, we'll see you next Tuesday? ;)

Re:How is this zero-day?

[Deanalator]

It's referring to 0day in the past tense. *confirmed* the first 0day

Also 139/445 blockage really doesn't matter. Workstation attacks are generally part of the "spread" portion of attack in the whole penetrate -> (log -> spread)* -> goal -> exit model of attack

Re:How is this zero-day?

OH dear. Fucking semantics. Big deal if noone can ever communicate what they mean properly and we descend into a planet of the apes. Never mind everything being dumbed down in education, BUT NOT HERE. THIS IS WHERE I DRAW THE LINE. We are geeks, comms geeks no less. Get off my (only 28yo) lawn!!!!

You're my favorite commenter today.

Re:How is this zero-day?

[http]

Security pros aren't using your book. Maybe you should lower the price.

Re:How is this zero-day?

[Carewolf]

I find little use in a definition that depends on today's date. Especially because I can read articles from saturday and they will call it 3-day, which gives me no information.

Then you need the definitions, people monitoring security events does however.

Btw, an exploit that was recently 0day is not nday it is new. Zero-day exist to tell the difference between something you have a chance to react to (even if the only possible action is disconnecting), and stuff you can not react to because you are not sitting 24h a day pressing F5 on all the worlds security boards.

Re:How is this zero-day?

[mr_lizard13]

Which is why I use Internet Explorer. Thanks to its superior code, my computer has never caught fire.

Re:How is this zero-day?

Millions of computers smolder in ruin. Most importantly though, the fix was available BEFORE the exploit was, ...

Welcome to slashdot, with priorities like that you'll probably feel right at home here ;-)

Re:How is this zero-day?

"A wizard is never late. Nor is he early. He arrives precisely when he means to!"

Sorry for the off-topic quote, but it had to be said in a geek-type forum after the parent quote.

Re:How is this zero-day?

[mdielmann]

Almost right. It's the time between when the bug was known by the developers/users, and when it was exploited (usually because the hackers found it first, and figured out how to use it before anyone else found it). For 0-day exploits, you usually find out when your system gets compromised, or that someone's system got compromised shows up in the news.

Re:How is this zero-day?

Hey! You win the stupid fuck award! You stupid fuck!

Re:How is this zero-day?

[dave87656]

"Zero-day" refers to the time the dev team had to correct the bug.

Actually, since most hackers with ill intentions don't announce a vulnerability they've found, who knows how long the vulnerability has existed and how long it's been abused? There is plenty of malware which virus scanners don't even recognize but that doesn't mean they don't attack your system. All of our email boxes (Windows boxes connected to the internet) were infected by a virus which was first discovered nine-months later. At that time it was recognized that it had been around for a while.

Why are ports 139 and 445 still open?

[concernedadmin]

I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?

Re:Why are ports 139 and 445 still open?

[ledow]

Even weirder - on a machine which isn't on a domain, but which has a software firewall, you can open *every* port to a destination machine (e.g. a fileserver) and it *will* access the SMB shares of that fileserver (\\ipaddress\c$ etc.) but takes forever the first time because the broadcasts have been blocked by the firewall. So it doesn't need the broadcasts, or to be on that domain, or to do anything that isn't direct IP with the target machine - but it still takes forever to realise that and just start listing files.

And once you've done it once, that file sharing will run at full speed for the rest of the day. I'm imagining some sort of name resolution etc. issue (but the PC in question can actually use the same machine for DNS and still have the problem) but if it's not *required* to connect to the machine, why does it try anyway and hold everything up? And the firewall only ever reports NetBIOS traffic while that's happening.

Re:Why are ports 139 and 445 still open?

[drinkypoo]

I don't have your problem, and never have had. When I have DNS working and windows set to go to DNS for netbios name resolution, then everything works OK. What I *do* have now is that GNOME VFS will refuse to connect to a server on the first attempt (and fails quickly) but works immediately on the second. I wonder if that's related somehow.

Re:Why are ports 139 and 445 still open?

[ticklish2day]

Stop wondering and figure it out.

Re:Why are ports 139 and 445 still open?

[Menkhaf]

On the contrary, why shouldn't port 139 and 445 not remain open? Why do I need to block ports and DISABLE functionality to remain safe?

Re:Why are ports 139 and 445 still open?

[Menkhaf]

...stay safe. More coffee...

Re:Why are ports 139 and 445 still open?

[jim_v2000]

Those are the ports file sharing goes over. If you don't want them open, disable file-sharing or disable the exceptions for those port in the Windows firewall.

Re:Why are ports 139 and 445 still open?

You are most likely using Netgear routers. Replace them with Cisco gear.

Re:Why are ports 139 and 445 still open?

The strange thing is, that it is indeed connection based with the broadcasting used for meeting each other only. Second problem might be timeouts.

Re:Why are ports 139 and 445 still open?

You mean Linksys.

Ball kicking time

[Rogerborg]

Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.

Re:Ball kicking time

[ShooterNeo]

People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem. Maybe the person who was supposed to write the input protection piece forgot to do it because of a miscommunication. (one of the downsides of working on a project where the job is split between thousands of developers)

Given that Windows has more lines of code than just about any other software in existence, it's actually fairly impressive how well it holds up the majority of the time.

Re:Ball kicking time

You find stupid errors in every non-trivial program. I still can't conceive the one Linux had this year.

Pointers 101: Don't check for NULL after you already dereferenced the pointer. That is like putting the condom on after the sex.

And unlike the termination of a loop that kind of error could be found with static analysis.

Re:Ball kicking time

[1s44c]

Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.

The Microsoft approach is to collect the money and get their customers to agree that everything that goes wrong is their fault. It's at least as good protection for them as writing decent code and many times cheaper.

Re:Ball kicking time

[ozmanjusri]

Given that Windows has more lines of code than just about any other software in existence

Why is that?

Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

Re:Ball kicking time

[nstlgc]

But nobody actually uses ReactOS!

Re:Ball kicking time

[DrXym]

Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

Every OS in existence has received patches. OS X, Windows, Linux, Unix, BSD (even OpenBSD). Ubuntu Linux 9.10 has been out less than a month and I've already been received 90 odd patches and it still has a critical ext4 file corruption bug.

I expect that even if MS rigorously tested the code (and I expect they did), used code coverage tools to ensure good quality testing, that the bug could still have slipped past. That's the real world. It doesn't excuse MS from promptly making a patch to fix the issue though.

Re:Ball kicking time

Your point being what?

That GP was simply stating that you can get equivalent functionality to current Windows versions using less code then what exists in those current Windows versions. They then extrapolated the usual (but not always) truth that less code equals less vulnerabilities given approximately equivalent quality.

Re:Ball kicking time

[ShooterNeo]

Maybe it needs to be this complex, maybe it doesn't. Fact is, the majority of the desktop apps in the world are still run using a variant of windows, and for the moment it does not look like that fact is going to ever change.

Microsoft cannot remove much code and maintain compatibility with legacy apps.

Well, they COULD, but using emulation....

Re:Ball kicking time

[Muad'Dave]

That reminds me of my favorite Java n00b null check (I've seen this in the wild):

      if (myObject.equals(null)) ....

Re:Ball kicking time

[Plunky]

People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem.

assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

Re:Ball kicking time

ReactOS is still in alpha and will be for a long time to come. It would be very nice to see it in usable form but I think it will take half a decade before it will run everything that old Windows NT installations do now. And until it runs something that wine doesn't, I don't think that many FOSS loving geeks (like myself) outside the ReactOS community will use it either considering that dualbooting is always a hazzle which means that for other purposes than testing out of curiosity, Linux will be the top choice for years to come simply due to the availability of Linux apps and Windows apps that run under wine.

Re:Ball kicking time

What you're saying about vulnerabilities is true. However, it is also true about the number of apps ReactOS can run: Only a handful and many of them poorly. So it's far from equivalent functionality.

Re:Ball kicking time

This one time, I loaded Windows XP RTM on a machine and didn't install anything or do anything with it. The machine ran for two years years without crashing or having any problems!

Come ON, people! :>

Re:Ball kicking time

[clodney]

People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem.

assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met. In the putative scenario of a loop coder thinking he was protected by input protection located somewhere else, the assert would only fire if the right test case was constructed. For all we know there is an assert in the code, but it won't help us in a release build.

Re:Ball kicking time

[dontmakemethink]

Do you sell used cars or something? Nothing personal, but that's a rather self-defeating argument for something you don't seem to have much faith in.

Re:Ball kicking time

ReactOS is based heavily on Wine, which is pretty damn awesome these days.

Re:Ball kicking time

[ozmanjusri]

And until it runs something that wine doesn't,

That's never going to happen. Both are open source projects, they share code so will always be at or near parity.

Re:Ball kicking time

[b4dc0d3r]

You don't need ReactOS to prove your point - the difference between Vista and XP is enough. The number of background applications run as services exploded in Vista... and as a nice side effect, it's nearly impossible, even with Process Explorer, to see what is slowing down your machine.

Usually it's disk I/O from background processes like antivirus, windows update (anyting MSI related seems to totaly hog the system), or file indexing. But lots of the time it's just one of 10 services.exe or svchost.exe entries, with 10 or more services attached, doing something, somewhere.

If you like XP then the answer is no, it doesn't need to be that complicated. A lot of the extra code and design in Vista is security-related, so maybe the answer is double-no. And if they started good design with Windows 98 instead of waiting for XP and then sitting on it for 6 years maybe the answer is no, a good OS can be much simpler and more elegant.

Re:Ball kicking time

[Shotgun]

People make mistakes. A company that has produced some of the richest people in the world and has extracted billions of dollars from the world's economy should have some processes in place to insure that bugs found years ago do not creep back in. It's called regression testing.

Re:Ball kicking time

Umm, dude... have you actually tried to use ReactOS for anything serious? It's about as stable as a house of cards in a hurricane. You point is invalidated.

Re:Ball kicking time

[celtic_hackr]

Given that Windows has more lines of code than just about any other software in existence

Why is that?

Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

given that Linus thinks Linux has gotten bloated, is indicative that it is a natural decay that is incumbent to modern desktop OSes. Not that it is necessary, but due to the scope and size of modern Desktop Oses, it is a natural side-effect, that once aware of can be combatted in OSes that are run by dedicated volunteers, but unlikely in any commercial OSes. I agree that given the development environment Windows holds up well. It's just the wrong development environment.
Long live FOSS, the right development environment.

Re:Ball kicking time

Well, the key word here is "significant proportion", which uses to mean "no application works 100% of the time". For example, when I tried ReactOS it crashed in QEMU. Not even in real hardware.

Yes, an operating system of today needs to be complicated. There are complicated standards, complicated compatibility problems, complicated hardware, complicated performance requirements... No, there's no easy way around that.

I've programmed toy operating systems. It isn't easy, and that's just the kernel. Now I have a lot of respect for kernel and system hackers.

Re:Ball kicking time

[kbielefe]

the assert would only fire if the right test case was constructed

Yes, but most test groups are full of highly skilled hackers who pore through the source code so they can create carefully crafted buffer overflow strings for their test cases....okay, can't even type that with a straight face.

Re:Ball kicking time

[b4dc0d3r]

I realize I missed your point. If half of your code is sanitizing and security checking, the exposed surface area is no larger and the vulnerability is not affected. Most of what went into Vista compared with XP is security-related code, and I believe it is not proportionally more vulnerable than XP. So no, lines of code are not correlated with attack surface.

The attack surface is really defined by the number of interfaces, both public and private. If you can get malicious code to a private interface by passing bogus data to a public interface, that's almost guaranteed to be exploitable, even if it's just a DOS. Turn off file and print sharing and the attack area drops. Turn off the infamous netbios and samba ports and the attack area drops. You're not dropping lines of code, you're turning off interfaces. Add more lines of code to sanity check these interfaces and the attack surface remains the same.

I'd be more worried about the number of required processes, especially the service-level ones which are new and poorly documented. Services are priviliged, so you need more code around them, not less. "Background Intelligent Transfer Service" is just a trickle download app - does it need to run as a service? "ATI Hotkey Poller" - it's not Microsoft, but somewhere along the way ATI decided the only way to check for system-wide hotkeys was to install a service. ClipBook viewer - yet another way to share data between computers. FTP publishing - just a simple app that listens on port 21, requires a service which can run privilaged code? IIS? File indexing - all I have to do is get you to SAVE a malicious file. Not open it, just put it where it gets indexed, and if it has a vulnerability you're owned. Theme support is a service - thank goodness it only runs digitally signed themes and there is no workaround that millions of users applied to run custom themes, right? And this is just from the XP list - Vista doubles that, at least.

ReactOS is not mature enough, it does not have a lot of sanitizing in place, lots of functionality is unchecked because the idea right now is to get it working according to Microsoft's documentation, not secure. So it's a red herring.

In truth, the OS should provide the minimum amount of functionality to run applications, and handle context switching and coordinate resource access. I'm not sure if Linux distros with all of their freeware pushed Microsoft to include every type of application under the sun, or if it's just wanting control of all avenues of userland, but there's just way too much functionality - too many interfaces - to lock down. 7 is supposed to be a better Vista, so maybe they fixed that, but as always new code will be the least tested part of the OS, and will probably be where you find vulnerabilities. After so many years of XP support, I'd expect any legacy XP code to be rock solid, and I'd expect to see more vulnerabilities specific to Win7/IE8.

Re:Ball kicking time

[Blakey+Rat]

Don't they do code reviews at Microsoft?

Yes they do.

Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

"Terminates under all conditions" is a little difficult to prove in any non-trivial situation.

Seriously, that's the difference between a hacker and a software engineer right there.

The former bitches and moans on Slashdot, and Microsoft hires the latter?

If you don't take the time to fix it early, you'll just have to fix it later.

Maybe you should send Microsoft your perfect coding technique that won't possibly have exploits. Since you seem to have all the secrets of software nailed down. I'm sure Microsoft would love to see it.

Re:Ball kicking time

"Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities."

To parrot you: why is that? Any nontrivial software becomes enormously hard to understand and verify.

Re:Ball kicking time

[Plunky]

assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met.

C99 specification says that defining a NDEBUG symbol can be used to prevent compiling the assert() into the program. That means it is not a debug option, and should normally be present even in release code unless specifically disabled. Far far better for the program to fail with a meaningful error that the development team can track than allow program code to hang just frustrating the user who doesn't know anything..

Re:Ball kicking time

[Skuld-Chan]

Seriously - every software company I've ever worked at (3 so far - and one of them was big enough that every one of you has heard of them) every single exploit we ever found was reviewed - often by multiple people.

Who would have thought the human factor would play such a large role in software development?

Re:Ball kicking time

[jim_v2000]

The GP was greatly exaggerating the abilities of ReactOS.

Re:Ball kicking time

[Skuld-Chan]

The problem is ReactOS doesn't actually meet all the customer requirements like Windows does. Having worked in development one of the biggest problems you'll ever face with a really popular application is I think 3 fold. Putting features in that sales wants (or thinks they want) so they can market the product, putting features in the product that enterprises and end users want and finally after all that making sure said product still meets user requirements - which may entail features from the current shipping products and stuff shipped before that. After all that - your project can get quite big. If you strip windows down to what reactos supports you'd probably find its about the same footprint.

From what I've seen - a good chunk of Windows is there for legacy purposes. The whole application compatibility toolkit/shim system for example, the WOW layer (windows on windows).

Speaking of shims - you can see how seriously Microsoft took compatibility in Vista/Windows 7 - there are shims in there for Acrobat 3 (or Acrobat 4 - I can't remember really) - a product that hasn't shipped in 13 years.

Re:Ball kicking time

[BitZtream]

Or that they left out all the constraint checking on functions to ensure they aren't being passed garbage.

Fewer lines of code does not guaranty fewer bugs and exploits. Remove all checks for buffer overflows and you'll have smaller code, but its certainly more exploitable.

Re:Ball kicking time

I know that they share a lot of code but some Windows apps are actually so tied to Windows that they might never be runnable under wine but possibly in ReactOS. Adobe Premiere is one app that I think will never run fully under wine considering its needs to connect to peripherals (not only camcorders but also jog 'n' shuttles for editing). Also, Adobe Photoshop will never run as well in wine as it runs in Windows due to its special algorithms for reading the mouse cursor position when drawing (I CBA to dig up the post about it on the wine-devel list but it was acknowledged that such hyper frequent reading of the cursor position will not be possible even if the app can otherwise be made to run perfectly).

Re:Ball kicking time

This one time, I loaded Windows XP RTM on a machine and didn't install anything or do anything with it. The machine ran for two years years without crashing or having any problems!

And I'm sure it made a very useful contribution to the botnets it was subscribed to in that time.

Re:Ball kicking time

[ShooterNeo]

Dude, you try going to college and getting a CS degree at a top school like Stanford or Carnegie Mellon. Try to be in the top 20% of your class. Now, try to get a job working for Microsoft.

If you get past all of those steps (most Americans would fail), NOW you can talk. Can you really produce 600 lines of code a month that have NO errors and NO mistakes at all. Code that works 100% of the time, no matter what? Good luck.

Yes, there are probably a few unbelievably talented programmers that could accomplish what I just listed. John Carmack, for instance, is probably almost this good. But most people aren't, even those at the top of their respective classes.

Re:Ball kicking time

[shutdown+-p+now]

ReactOS, for example, provides a significant proportion of the functionality of Windows NT in a fraction of the size of Windows 7.

Fixed that for you.

Re:Ball kicking time

Well technically things like "DirectX" and all the various hardware oriented stuff are what take up the space. Plus you could count several things that are separate pieces of software in other OS (browser, media player, etc) that are all part of the OS, mostly. Remember, in-house they have something called "MinWin" that runs off a floppy without issue and already has networking and a webserver/ftp server. I still don't know why they don't market that. A lot of people would pay as much as Win7 for it.

Re:Ball kicking time

[Hurricane78]

Of course it provides a significant proportion in a fraction of the size.

It's the fractal principle. Just as you need maybe 10 iterations to generate what feels like half the detail in a Mandelbrot, and 5000 (or rather and infinite amount) for the other half.

That is because of the cascading levels of differences.
If ReactOS has the basic cases handled, in can do e.g. 80 of the functions in 20% of the code, or even less.

See it like this:

Implementation detail level 1: 50.0% of functionality done
use case 1: 50.0% of functionality covered

Implementation detail level 2: 75.0% of functionality done
use case 2: an additional 15.0% covered
use case 3: an additional 10.0% covered

Implementation detail level 3: 87.5% of functionality done
use case 4: an additional 4.0% covered
use case 5: an additional 3.5% covered
use case 6: an additional 3.0% covered
use case 7: an additional 2.0% covered

etc.
Now consider, that every use case on average can take the same amount of time to implement. (Assuming that we talked about orthogonal use cases.)
Then it's clear why it takes so much more work for the billions of tiny exceptions that you have to add for the last 5% of use cases.

Re:Ball kicking time

[Blakey+Rat]

ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

How significant is significant?

Or, asked a different way, if ReactOS provides a significant proportion of the functionality of Windows, why aren't a significant proportion of customers using it?

Not much of an exploit..

No remote code execution? Boring. Let's see if some people out there could weaponize it and throw it into a metasploit module. Then it's interesting.

Re:Not much of an exploit..

My concern is that if an exploit causes a crash, eventually someone can find a way to make the exploit run on injected code. It is likely only a matter of time before someone does this. Externally, it makes sense to block SMB/CIFS, but this leaves a lot of internal servers vulnerable if they are running Windows Server 2008 R2. So, I hope MS gets a fix out for this ASAP.

People have to keep in mind that there are numerous blackhat organizations going after every single byte of code in Windows 7 with a fine-toothed comb looking for any single bugs that can be used. It only takes one show stopper bug, and this can easily cause billions of dollars in losses, perhaps trillions. So, Microsoft has a very tough game to play.

Of course, this goes for any OS, but blackhats have Windows operating systems under the microscope due to the market share, as it is the biggest bang for the buck.

Re:Not much of an exploit..

[RiotingPacifist]

My concern is that if an exploit causes a crash, eventually someone can find a way to make the exploit run on injected code. It is likely only a matter of time before someone does this.

It is my understanding that because any such method would immediately turn a whole load of DOS attacks into arbitrary code execution, that all OSes take great care to prevent that (well apart from Linux where ASLR is broken and wine prevents high address space protection). I mean it is possible that an exploit will be found but such an exploit is going to be tricky to develop (something akin to the null certificate, rather than just a windows exploit of the week attack), so don't let it keep you up at night!

Re:Not much of an exploit..

That not boring, It the return of Win nuke.
This might just make windows 7 popular again.

Re:Not much of an exploit..

[JDeane]

I remember so many different versions of Win nuke... lol

My dim memory of the day is telling me MS patched the first version of it so some one released a version of it that worked on patched machines, then MS had to go and ruin all the fun by totally fixing it.

Ahhh those where the days.

Well researched article, that...

[EMN13]

From the article:
  "Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies."

Good to know that blocking ports 139 and 445 will block browsers, we wouldn't want people actually doing that, after all!

Re:Well researched article, that...

[EMN13]

The author probably confused the browser service - which is for lan filesharing - with a webbrowser. Not that that confusion gives me much faith in the rest of the article; what other "details" are equally mangled?

Re:Well researched article, that...

[kbielefe]

what other "details" are equally mangled?

You mean other than failing to realize almost everyone places their firewalls between their LAN and the Internet, not between individual nodes on a LAN?

Re:Well researched article, that...

[mdielmann]

Hello, linux user!
EVERY Windows computer has a software firewall nowadays, many of them even turned on. Some may even be useful. I can only imagine how well my network shares will behave if I block those ports.

Secured by Default

[Toreo+asesino]

Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.

Re:Secured by Default

Those who use Windows file sharing services need those ports open to the network. It is highly unusual to have the LAN and the internet connection on different network devices, so opening the ports to the LAN also opens them to the internet, unless you block access to these ports at the firewall, which is what the article says.

Also, what if my computer does not have a white button? What are my options? New computer?

Re:Secured by Default

[andyjb]

yes, but that's still not great is it? esp when it could be safer by design. It doesn't seem as if it would take a more-easy-to-spot DOS attack either - just a lightweight process occasionally spamming these bad URIs to Server 2008 and win7 boxes on the network.

Re:Secured by Default

[Malc]

Yeah, I was wondering which firewall was being referred to: at the network level, or at the machine (i.e. Windows firewall) level? Would doing at the machine level make it hard for others to access shared folders? It seems these days that most of the computer issues (viruses, trojans, etc) have come from other machines on the corporate network, so a network level firewall is only have the story.

Re:Secured by Default

Really,

    So I should only be worried about folks from China ? Not someone who just plugs into my local lan ?
And up till now I thought I had to restrict access to shares and take away administrative permissions to protect from internal threats ?

Which one is it - China or internal ? Methinks both and that is why this and any other similar (many) issue aren't just "block at the firewall"

Re:Secured by Default

[sam0737]

Even for Home or Work / Domain profile, the default for "Network discovery" may be on, but "File and printer sharing" is off.

(I could be wrong because it could be my company's group policy turned it off...someone could cross check)

Re:Secured by Default

[solevita]

so this would have to be an internal DOS attack realistically.

Just the thing you need if you don't like your IT staff and they've just rolled out a Windows Server 2008 box...

Are you trolling?

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog.

Quote whole sentences...

Re:Are you trolling?

[Jurily]

That still doesn't make it a zero-day. Zero-days appear in the wild on the day of release.

Re:Are you trolling?

The part that you added did not change the meaning of the quotation at all. If you really don't like partial sentence quotations then you might be better off not reading anything, ever.

Re:Are you trolling?

[MrNaz]

So you're saying that it can only be described as zero day on that day, and thereafter it cannot be called a zero day exploit, but a n-day exploit where n is the number of days since it was announced?

Sorry, but while you may be *lexically* correct, I think everyone with two brain cells that are on talking terms knows what is being referred to by a "zero day" exploit, even when referring to an exploit not released on that day.

Re:Are you trolling?

[DarkOx]

I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.

In the case of an exploit floating about in the wild where there has been no patch made available is a zero day because I have had zero days to patch my systems before the potential for easy exploitation.

Re:Are you trolling?

[sproot]

On the subject of re-writing the language:

loses it's [sic] meaning

your [sic] plain wrong

That last one might be ironic.
xx

Re:Are you trolling?

[DMiax]

I fail to see any usefulness in this definition, since it depends on when the article is posted. So to know how severe was the risk I have to look at the date of the news and subtract the quantity mentioned.

Also, it is still not true that all exploits are 0-day. Sometimes the vulnerability is announced in the changelog of a software, yet an exploit is produced that targets unpatched machines. Actually it happens quite often.

There is still the question of when to start the counting, but having a definition that depend on the current time seems unreasonable, if anything because of timezones...

Re:Are you trolling?

[nstlgc]

Zero-day refers to the age of the exploit.

Re:Are you trolling?

[webmistressrachel]

My grammer and punctuation go downhill when I'm ranting on a rubbish laptop keyboard. You've no idea how many times i fumbled TAB, Enter and the mousepad thing whilst writing that, and having to reposition the caret. So no, not deliberately trying to mislead people as to correct punctuation etc., but he is deliberately misleading people about meaning hence rant rant rant

lol and thanks for the correction, it is ironic isn't it? Rachel xx

Re:Are you trolling?

Mod parent up. "Zero-day" refers to the amount of time admins have to patch a system before known attacks have started:
http://what-is-what.com/what_is/zero_day_exploit.html

A zero-day exploit is a computer security vulnerability that is being actively practiced before knowledge of the exploit becomes public information.

Re:Are you trolling?

[Blakey+Rat]

The point of "zero-day" is that you have zero days to patch your system before exploits appear. For example, if the exploit was found by researching an existing exploit.

If a security researcher found it, and it's not actually being exploited (yet), then it's not zero-day.

It's not a difficult term, I'm not sure what the problem is here.

Re:Are you trolling?

[dontmakemethink]

Actually, the grandparent poster is correct. Zero-day means just that. What you're talking about needs a different word.

I believe the term "Windows exploit" in itself adequately covers that it was quickly and easily discovered and abused.

Bonus points for stating that anyone who thinks differently from you must be stupid.

Damn Mac users eh?

Re:Are you trolling?

I've always understood a zero-day to mean an exploit that appears in the wild BEFORE a patch is available (basically people not doing the 'responsible disclosure' thing). Lots of charts and graphs from security software providers certainly show it this way. Since the patch is not available yet, this is a zero-day.

Re:Are you trolling?

[dwinks616]

You fool! You very well might end up scaring the only woman ever seen on Slashdot away like that! Just leave it be, for the love of all that is good and holy!

Re:Are you trolling?

[PRMan]

Exactly, zero-day means a black hat found it and started using it before a white hat reported it to Microsoft.

Re:Are you trolling?

[roguetrick]

Or a black hat heard about it due to the reporting, and the reporting happened the same day, thus zero day. Taking advantage of research information before anyone else can act.

Re:Are you trolling?

[thePowerOfGrayskull]

Zero day means only that the attack was published before the vendor could fix the issue.

Re:Are you trolling?

[Imagix]

IMHO, a zero-day exploit should be exactly that. An exploit that was found on the zeroith day of release. Otherwise what makes a "zero day" exploit so special that it needs the extra moniker of "zero day"? Why is it so special that if you find an exploit, and have code to exploit it the same day? How else did you verify that the exploit actually works without crafting an appropriate program to exploit t?

A true "zero day" epxloit would be a special thing as that would represent a hole so easy to find that it took less than 24 hours to find the hole from the time that the researcher could obtain the application. Applying the term "zero day" to other types of exploits is simply trying to attach some sort of buzzword to artificially increase the prestige of the explot.

Re:Are you trolling?

[nschubach]

I tried blaming my keyboard once. It just stared back at me knowing that it had done nothing wrong and I couldn't prove otherwise. The little bastard had me in a corner and the other people in the office were staring at me.

Re:Are you trolling?

[Deanalator]

The way I mostly see it used is "0day" is a feature of a an exploit in which the vendor has either not been informed of the bug, or is refusing to patch because they believe they have properly covered up the bugs existence, or that the bug is not dangerous, so not a priority.

Re:Are you trolling?

[plague3106]

No, I'd assume zero day is exactly that; zero day. It seems to be a term to discredit a piece of software... on the day its released there's already a hole, as opposed to a hole being discovered months after everyones had it.

Re:Are you trolling?

I made almost this same comment last week, and several times in the past. Posting anon because I modded you up, righteous nerd rage FTW, you're welcome.

Re:Are you trolling?

[ColdWetDog]

And just exactly how do you know this 'mistress' is female? Eh?

Are you new here or something? Be careful, son. The Internet can be a dangerous place for young'ns.

Re:Are you trolling?

[dave562]

In the context of security exploits, zero day means that the patch is unavailable from the vendor. The original term zero day was stolen from the warez scene where "Zero Day is a state of freshness" (tm). In order for a warez release to be zero day it had to hit the site before it hit the store shelves. Usually that would mean that it came from Europe, or was released by someone who worked at the company putting the game out.

Re:Are you trolling?

[Carewolf]

I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.

Nope, zero-day refers to the age.

Just like newborn babies lose the "newborn" title after a short while, or how a 22-year old girl who was raped as a 17-year old, is not a 17-year old rape-victim any longer. 0day is title that hardly survives a day.

Re:Are you trolling?

[YankDownUnder]

...and here I thought folks that *I* was strange for allowing my mouse to manipulate me...

Re:Are you trolling?

I thought zero day meant it would take less than one day for the exploit to take over a particular system.

Re:Are you trolling?

[innocence18]

...allowing my mouse to manipulate me...

You live in Soviet Russia right???

Re:Are you trolling?

[YankDownUnder]

I think I might. I'm not sure. Is it near Sydney?

pushing the white button?? what does that mean?

[DigitalReverend]

The summary states "A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button."

I checked all the Windows machines here. None of them have a white button on them anywhere. What does this mean? Does the poster just mean powering the machine off and then on again?

Too many times on Slashdot, when people should be informative, they obfuscate the information it in failed attempts at being clever.

Re:pushing the white button?? what does that mean?

[EkriirkE]

I don't have Windows 7, but maybe its some UI component?

Terrifyingly potent

[Sockatume]

A maliciously crafted URI could hard-crash affected machines beyond any remedy

Oh no! A PC-killer!

besides pushing the white button

A reboot? Well, it's an unorthodox and extreme solution to a machine crashing, we'll have a hard time convincing Windows users to do that.

Re:Terrifyingly potent

[Spad]

The point is that it requires a hard reboot; the machine becomes unresponsive and doesn't throw a BSOD so you can't restart it with a three finger salute.

Re:Terrifyingly potent

um..a ctrl-alt-del doesn't reset from a bsod either. at least not for xp/2k/nt.

Re:Terrifyingly potent

[Skapare]

Any bets on whether the reset button will wear out before the 'D' key?

Re:Terrifyingly potent

[Sockatume]

Of course, but the phrasing is a little hyperbolic for a restorative action that Windows is synonymous with.

I have to ask

[NoobixCube]

In my ignorance, I have to ask: What's so special about 139 and 445? What do they do normally, and why would blocking them help? No, I didn't RTFA. I'm too tired for this :P

Re:I have to ask

[Spad]

139 is NETBIOS, 445 is SMB.

139 is used for discovery and browsing of network shares (Primarily on legacy machines), 445 is the "current" port for accessing network shares.

Re:I have to ask

[Krneki]

Port 139, 445, .. aka Netbios port, aka Virus port.

This ports are always closed, if they aren't your system is already infected.

Re:I have to ask

[XedLightParticle]

getent services | grep 139
getent services | grep 445

Re:I have to ask

[trapnest]

Incorrect. Don't spread fud to unsuspecting slashdot users. Someone might believe you.

There is so much ignorance when it comes to viruses, etc.

Re:I have to ask

[Krneki]

Incorrect. Don't spread fud to unsuspecting slashdot users. Someone might believe you.

There is so much ignorance when it comes to viruses, etc.

Not from my part friendo. Check the virus database and see how they work. 90% of them uses the Netbios port.

Re:I have to ask

[kj_kabaje]

As long as we're Karma whoring: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Re:I have to ask

[trapnest]

The way you put the post made it seem like the only use of that port is viruses, and if it is in use you _are_ infected.

Re:I have to ask

[Krneki]

You are right, I'll try to elaborate my posts more next time.

buttons

[nozzo]

I'm OK then, my power button is beige.

Re:buttons

[BrightSpark]

Does it have Digital or DG written on it too? Happy days. From the time when a cluster was better than a cloud? When computers were "managed" by people who knew how they worked and who knew Netbios was for something only a friend would share (with another friend). If you wanted a file over a network you sent a request to the Operator for a kind lady to haul your disc pack to the big washing machine thingy and mount it for you. Promotion meant getting system privileges like clearing your own printer queue. Goodbye PDP-11. Mourn not for AOS-VS II. Farewell DG/UX. No more CLI. Welcome to the nouveau "geek" who needs to know why it's bad to have port 139 open but kicks ass in Gears 2. To quote Ripley from "Aliens", "Did IQs suddenly drop while I was gone?"

Re:buttons

I'm OK then, my power button is beige.

that just means you can't recover

Re:buttons

[nozzo]

Not goodbye PDP-11, merely au revoir since I shall see you again in emulator heaven.

Re:pushing the white button?? what does that mean?

[uwnav]

yeah I'm sure he/she's referring to the power or reset button. maybe the poster was having a nostalgic day about old white desktop cases

Re:pushing the white button?? what does that mean?

[Hamsterdan]

The only white button here is the buzzer on my front door. But I don't see how ringing the bell will solve that problem.

block ports?

[orange47]

aren't those two ports necessary for 'file and print sharing'/SAMBA? the computers at work are almost useless without that.

Re:block ports?

[Skapare]

So just block them at the firewall going to the internet, instead of in the core office switch.

Re:pushing the white button?? what does that mean?

Old desktops weren't white, they were beige, so it still doesn't make any sense.

My computer doesn't have a white button

[Skapare]

... they're all black ... you insensitive clod.

Re:My computer doesn't have a white button

[Fotograf]

my pc doesnt have any button or LED. it runs linux and power on or off is triggered only by power failure.

Re:My computer doesn't have a white button

[webmistressrachel]

Yeah, great. I use a screwdriver to short pins on the array of motherboards hanging off the power supplies at the back of my bench. Just don't nudge the hard drives with the mouse whilst playing games, and watch out for that massive graphics card just wobbling there when you change the monitor lead!!

I call it Computing with Thrills (TM) ;)

Re:My computer doesn't have a white button

PAH! I lash all my cases together with twist-ties then hang them from the ceiling over my chair with a single thread of dental floss. I call it a Damocles cluster.

Win 7 Firewall

[carp3_noct3m]

I decided that unlike Vista, I would beta Windows 7 and be ahead of the curve by the time it came out. I've been running it for roughly a year now (midnight snacktime is not condusive to memory) . Overall I am actually quite impressed (gasp! shoot me now). One thing I really like is the granular firewall abilities, which has clearly defined and seperate inbound/outbound rules. I currently have both set to a PIX style ACL type deny all except ports I explicitly state. Now this can be a pain to evaluate a new program to figure out which ports it needs open for proper function, but is definitely something that should be done ona group policy level at the domain, just because you have a supertight internet facing firewall, you still need to prevent LAN and VPN security issues as well.

Re:Win 7 Firewall

[Kjella]

Overall I am actually quite impressed (gasp! shoot me now).

I think you're in good company. I just recently saw a poll on a site I visit with about 3600 votes on what OS they were running:

Win 7: 47%
XP: 23%
Vista: 11%
Mac: 10%
Linux: 8%

Yeah I know not exactly representative... but at least among Windows users I'd say early adopters, and clearly Windows 7 is a hit. It's completely killed Vista, and even those coming from XP seem happy. I think you can push the "Year of the Linux desktop" back another few years, I'm happy on Linux but any window Vista gave it has closed.

Re:Win 7 Firewall

[iron-kurton]

I was always a fan of ZoneAlarm because it precisely showed what in/out ports each program was trying to access, and allows you to set individual rules. Maybe you should consider ZA personal (the free edition), if only for just diagnosing which ports are used by any given program?

Re:Win 7 Firewall

[Hurricane78]

I think Agnitum's Outpost firewall still beats everything out there by far. It has too many security features that are just completely missing solutions for giant holes elsewhere.

Re:Win 7 Firewall

[alexo]

I think Agnitum's Outpost firewall still beats everything out there by far. It has too many security features that are just completely missing solutions for giant holes elsewhere.

Interesting.
How would Agnitum compare to Comodo (free)?

Re:OMG what if my computer doesnt have a white but

[AndGodSed]

Oh come on! That is seriously funny whomever voted this flamebait. It right up there with "Where is the any key!?!?!"

Re:OMG what if my computer doesnt have a white but

[Vectronic]

Simply use Wite-Out, or Liquid Cover-Up, doesn't matter what button, as long as it's white.

on or before the vendor knows about it

From the infallible wikipedia:

A "zero day" attack occurs on or before the first or "zeroth" day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software. (In computer science, numbering often starts at zero instead of one.)

Re:on or before the vendor knows about it

Thank you. Terms do have meaning. I have no idea what the GP thinks "zero-day" actually means.

Re:on or before the vendor knows about it

[DNS-and-BIND]

Uh, dude? Infallible Wikipedia? Surely you can't be serious.

Re:on or before the vendor knows about it

[donaggie03]

I think he was being a little tongue in cheek there. The fact is, wikipedia is good enough in most instances. But you don't have to take wiki's word for it. Here's what dictionary.com says in regards to zero-day: "pertaining to a program that exploits a computer security vulnerability before security experts can address it" so there you have it.

Re:on or before the vendor knows about it

[trapnest]

Whoosh

Re:on or before the vendor knows about it

ah, so it is an exploit of a vulnerability for which no patch or fix exists. wow, so these have been around since the beginning of computer time, yet this term just popped into vernacular in the last 5 years...hmmm. hype.

Re:on or before the vendor knows about it

yet this term just popped into vernacular in the last 5 years...hmmm. hype.

You haven't been around very long, have you? I saw the term in use in the mid/late 90s; at the time it was also used to describe warez.

Re:on or before the vendor knows about it

I think he was being a little tongue in cheek there. The fact is, wikipedia is good enough in most instances. But you don't have to take wiki's word for it. Here's what dictionary.com says in regards to zero-day: "pertaining to a program that exploits a computer security vulnerability before security experts can address it" so there you have it.

A reaction doesn't have to a be a patch. In this case for instance you can close the volunable ports. Since a security expert have been able to react to it since it was published plus how often they check security messages, it is no longer zero-day and only was for the first 24hours.

So yes there you have it... but probably not the way you thought.

Re:on or before the vendor knows about it

[donaggie03]

So yes there you have it... but probably not the way you thought.

I'm not sure what you are getting at, except maybe you read something in my post that I never said. I'm not arguing whether this exploit is or isn't or ever was a zero day attack. I simply gave the accepted definition, which was quite different from what a lot of people were thinking. Now that we have a definition, that I hope we all agree on since it comes from a "acceptable" source, we can begin to have a decent discussion on how this current exploit fits in. You have to have your definitions straight first, or else everyone is just talking past each other.

UN; billion+ starving

nothing to do with us, of course?

starving? one would think we could do better, as there are really no shortages of anything...yet, perhaps besides compassion/responsibility.

who is to tell those starving kids that they've made their own mess, & will have to 'get busy' or else they'll starve to death, which sometimes takes many months due to the occasional discovery of something digestible?

as is stated in ALL of the manuals; the innocents will be protected. if not by us,.....?

Answer

[AliasMarlowe]

What's so special about 139 and 445? What do they do normally, and why would blocking them help?

Here's a list of assigned port numbers: https://www.arin.net/knowledge/rfc/rfc1700.txt

Re:Answer

And here's the up-to-date version ;-)

http://www.iana.org/assignments/port-numbers

interesting,

[nimbius]

I didnt know we were now officially referring to the power button as "the white button"

or maybe everyone has a white button and i dont?

Re:interesting,

[webmistressrachel]

I didn't either. The common term was always Big Red Switch. This white button thing has really brought out the trolls, I can't blame them. It doesn't half wind me up that these people have a job and that having a brain disqualifies people from employment these days, God thinking is such a bad thing in the workplace today!!! They'd rather we lolcat the day away and show them nice performace statistics than actually make money for the firm to protect all our incomes. Pride and ego before logic and common sense - welcome to the Noughties.

Re:interesting,

[Smask]

In the eighties it was known as TRSR (The Red Switch Reset)

Re:pushing the white button?? what does that mean?

[Linker3000]

#3043-001 USB White Button Kit........34.99 + Shipping

Ideal for computers not shipped by the manufacturer with a White Button pre-installed.

A White Button is essential for all Windows Users. Upon a system failure, Denial of Service attack or crash, pressing the White Button releases a scientifically-formulated, airborne scent of soothing essential oil fragrances, including: Verbena, Sweet Orange, Roman Camomile and Ylang Ylag.

At the same time, one of a number of pre-programmed actions are triggered while you listen to a random selection of 10 relaxing 'mood music' tracks.

Basic actions include:

1) Reboot
2) Call my IT Support department
3) Call the manufacturer's support department and cancel my evening dinner arrangements
4) Reinstall current OS
5) Reinstall current OS after backing up all user data
6) Wipe and install CentOS
7) Wipe and install Ubuntu
8) Order me a Mac
9) Order me a Big Mac, fries and a Coke

Secondary actions can also be triggered from:

A) Call Microsoft HQ every 'x' minutes and shout 'Fuck it' down the line.
B) Post my CV to Linux-only job sites
C) Rub my shoulders (Requires optional add-on #RS01)
D) Dial local suicide help line

A deluxe version of this item is available (#3043-002, 139.99 + Shipping). This model includes an external 10" LCD panel that can display random pages from a number of Web sites (slashdot.org, fark.com, silicon.com, cloudappreciationsociety.org and todaysbigfail.com)

Extras and consumables:

* #3043-S01 Replacement aromatherapy scent cartridge - pack of 12
* #3043-S02 Replacement mustard gas scent cartridge sold singly, no returns
* #3043-M01 Extended play music ROM - an extra 4 hours of music (for Dell Support customers)
* #3043-P01 Enlarged White Button with face of Steve Ballmer on top. Comes complete with real wood mini hammer and elastic band-powered mini crossbox with safe-tip(TM) arrows (pack of 12 buttons)

"Pay packet?"

[Shag]

Mine turned out to be maliciously crafted.

I have a dream ...

[clyde_cadiddlehopper]

that one day all (buttons) will be just by the content of their character and not by the color of their skin.

Re:I have a dream ...

I have a dream that one day all (buttons) will be judged by the content of their character and not by the color of their skin.

FTFY

Actually, it's still completely butchered but at least it kind of makes sense now.

It is 0-day, i think

[antivoid]

I believe that, in a company with OS rollout cycles of 2 years or more like Microsoft, 1 week is considered 0-day, given the frequency with which the average home user updates their OS with patches.

I am not here to troll/bash in general, but I quite like Windows 7. So far IMHO its the best Windows version released to date, and I haven't heard of many bugs and crashes and vulnerabilities, besides this one.

Windows Vista is to Windows 2000 as Windows Me is to Windows 98. Windows 7 <3 :)

Re:It is 0-day, i think

[erroneus]

Well give it some time. They said the same about 95, 98, NT, 2000, XP and Vista... 7 isn't widely used out there just yet.

Re:It is 0-day, i think

[DNS-and-BIND]

Okay, you believe that a one-week exploit is the same as a zero-day exploit. No. If it's zero-day, then the vendor has no chance to fix it or offer a workaround. Seven-day, well everything could have been fixed by now! I think you need a different word for this concept, because "zero-day" means how many days? This is a pop quiz. Sorry that it has math in it, I know that's hard for a lot of people.

Re:It is 0-day, i think

[rtb61]

Point of fact, for quite some time they were saying that windows ME was better than windows 98 second edition (in fact right up until xp was due to be released) and windows vista was better than XP (right up until windows 7 was due to be released). Here's betting they, in the not too distant future (couple of years or so), they say windows 7 is crap and you really need to upgrade to windows 'whatever' for more reliability, stability and security ;D.

Re:It is 0-day, i think

[geekboy642]

Who was claiming Vista superior to XP? I bet you'll find "they" had a vested interest in selling the latest and greatest. Microsoft wouldn't have needed to publish the 'Mojave' ads if there wasn't a widespread belief that Vista sucked. And as for Windows ME, I've been using windows since 3.1 was new and exciting, so I know better. Don't try to push some revisionist belief that anybody but Microsoft and their fanboys liked windows ME.

Click on something that crashes my computer?

Wait! EA has been doing the same thing to my computer every time I double click to launch on of their games!

That will be some code review

[Kupfernigk]

"Under all conditions" for a piece of complex code is often far from easy. I am still smarting from a problem we had recently (not a vulnerability) where the system was sporadically failing to output messages, a problem never seen before. Unit testing was no good. We spent a week reviewing the code: found a bug, fixed it. Now there were fewer sporadic missed messages, but the number was nonzero. We used a simulator to test under every condition we could think of: no errors. Back on customer site, missed messages. It turned out there was a tiny corner case in an algorithm that was being occasionally triggered by two devices on the network that had a firmware error.

I hate Microsoft with the best of them, but give their software engineers credit where it's due: how often have you delivered completely bugfree networking software?

Firewall wont help.

[miffo.swe]

Since the exploit is possible without any user interaction all it takes to bring down a corporate network is one single machine running the xploit locally. A simple broadcast and every machine running w2kr2 or Vista7 will be dead until someone pulls the plug.

Im also very surprised that Micorosft didnt audit the code properly after the last hole. You would think that the former xploit would ring a couple of bells since it was big enough for a truck to run through. Im beginning to suspect all the talk about SDL, reviews and stuff are nothing but PR.

Re:Firewall wont help.

Did you mean SDLC instead of SDL? I.e. http://en.wikipedia.org/wiki/Systems_Development_Life_Cycle

Re:Firewall wont help.

[miffo.swe]

A cycle requires its been done more than once, or atleast one time. The SAMBA on Vista/Windows 7 clusterfuck strongly suggests that either SDLC is totally worthless or hasnt been used internally. Something a simple fuzzer snags should not make it past Q&A, especially not when the company in charge brags about its "superior" security policies at every possible chance.

File-Server

I just blocked those ports, now my users say that they can't access file-services on the server.

Zero day

[Jeremy+Visser]

Well, this may be the first "zero day" exploit, but this one ("Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.") was around for much longer, and it's truly amazing that it still works on a majority of machines I try it out on.

That's setting a dangerous precident.

[CFD339]

The very idea of undoing your own powerful moderation use -- even if (especially if) you used it mistakenly is very un-slashdot of you. You're supposed to stay completely anonymous in your abusive mistake, and use those points to call all opinions you don't agree with either redundant or flamebait. Didn't you read the destructions the first time you got mod points?

Re:That's setting a dangerous precident.

[PCM2]

It was my last one! I either blaze through an entire thread like a rampaging omen of death, or nothing at all.

Erm... no. Not quite.

[jimicus]

"As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."

I respectfully disagree.

Any IT staff worth their pay packet should have EVERYTHING blocked at the firewall, then open holes for things that you can be certain you need. Ideally, those holes don't go direct to systems on the company LAN but instead to a DMZ.

Re:Erm... no. Not quite.

[WD]

The article left out the word "outbound". If you block everything (outbound) at the firewall, you are going to have some unhappy staff.

Re:Erm... no. Not quite.

[Barny]

Wait, if your blocking everything inbound, and now we need to block everything outbound....

I will sell you my new "loose wire" protection system, it stops ALL remote exploits and costs just $11.99 a month (per seat) to implement!

It's not as bad as it sounds

Calm down, everybody.

This bug cannot be exploited from the outside without user interaction.

It can only be exploited from the outside *if* the user clicks a malicious link (like \\12.34.56.78\crash) for example in a browser.

Re:It's not as bad as it sounds

[FictionPimp]

And the everyday user is smarter then that. I mean that is why we don't need resident virus scanners. Users are smart enough not to click anything sent to them.

Of course you could send them a page that simply runs a little javascript hitting as many IP's as possible behind the scenes, or even a downloaded exe that scans the network to find good targets for attack.

Users will run anything.

Re:It's not as bad as it sounds

[WD]

You've got the concept right, but you don't need to click on a malicious link in your browser. Simply visiting a malicious/compromised site in IE is enough. Or viewing a malicious email.

Arghh!

[Dreadrik]

I'm on a macbook! All my buttons are white!

Yes, any admin...

[erroneus]

...but what about home users?

This reminds me of the days of "winnuke" and blue screening IRC users back in the dialup days. Port 139 is probably already blocked at the firewall on even most of the most trivial configurations. But attack vectors aren't always direct. At times attacks are relayed through a malware infected machine giving a remote attacker local, "behind the router/firewall" access to all the other machines on the network.

Re:Yes, any admin...

[kbielefe]

...but what about home users?

What, you don't have an IT staff at home?

Re:Yes, any admin...

I think his response to home users would be:

LearnArcaneCLICommands(TM)
EverybodyIsADeveloper(TM)

Re:Yes, any admin...

I don't have an IT staff at home. There are plenty of options that don't require one.

Re:Yes, any admin...

What, you don't have an IT staff at home?

Ya, I take it to work with me every day so I can beat users about the head with it when they ask me where the "any" key is. It keeps breaking.

Comment removed

[account_deleted]

Comment removed based on user account deletion

You need to block *outgoing* ports

[WD]

The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.

If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.

Re:You need to block *outgoing* ports

[Malc]

Does this mean that you can browse the to network shares?

Re:You need to block *outgoing* ports

[wvmarle]

OK it is a bit whining about semantics, but I wondered why they say "block port xxx at the firewall" instead of "do not open port xxx at the firewall unless you have a very good reason to do so". After all I expect a firewall in default state to block everything, that's why you have one such a device.

Now you say it is about outgoing connections even! That is normally by default all allowed indeed.

Re:You need to block *outgoing* ports

Blocking outgoing ports can't possibly work. What's to prevent the exploit from sending the other packets of the handshake anyway, as if it had received the packets blocked by the firewall?

Re:You need to block *outgoing* ports

[Phroggy]

Blocking outgoing ports can't possibly work. What's to prevent the exploit from sending the other packets of the handshake anyway, as if it had received the packets blocked by the firewall?

If you're behind NAT, the remote system can't send reply packets if you didn't initiate the connection, because the router won't associate the incoming replies with an outgoing connection, and won't forward them to the internal machine.

Re:You need to block *outgoing* ports

[ToasterMonkey]

If you're behind NAT, the remote system can't send reply packets if you didn't initiate the connection, because the router won't associate the incoming replies with an outgoing connection, and won't forward them to the internal machine.

A firewall can do that, a NAT mostly doesn't have a choice.

Not inbound, but *outbound*

[WD]

See my comment above:
http://it.slashdot.org/comments.pl?sid=1444692&cid=30114230

Re:pushing the white button?? what does that mean?

--(PP sig)
If there is anyone here who believes they have telekinetic abilities, would they please raise my hand.

A man that was sitting in the other side of the room stands up, goes next to the speaker, grabs his arm, pronounces the words "^W^W^W^W^W^W^W^W^W^W^W and raises the speakers' hand.

See, it's not fun when YOU have the vulnerability.

Deja Vu

Has there ever been a version of Windows since 1995 that did NOT require blocking ports 139 and 445?

Will Microsoft ever get it right?

Sorry guys

[Tibor+the+Hun]

This was my idea.

Allow me to introduce you to Mr. Turing...

[mosel-saar-ruwer]

Loops 101: prove that the loop terminates under all conditions

That one's gonna prove to be just a little difficult.

Re:Allow me to introduce you to Mr. Turing...

Yes, the halting problem shows that in the general case it is impossible to tell if a given program with eventually halt. But that's effectively a problem where you are given some existing code and have to determine if it will halt. If you are actually modifying or writing the code yourself, you can avoid using conditions such that it is impossible to determine whether the code will terminate; in particular, you can code loops such that in addition to using the logically necessary tertmination condition/s, there is always an 'emergency condition' which will eventually come into play and terminate the loop in a determinate number of iterations.
For example, you don't allow unlimited input length for a string; even if you want a routine to be a flexible as possible you always want any processing loop for that string to halt when the array index is about to overflow. If you are using some mathematically convergent series to get a result of a given accuracy (e.g. difference between sucessive iterated results is less than some desired error value), you still want to set a maximum numer of iterations in case the series is non-convergent in special cases.

So in practical terms, you can make the halting problem irrelevant if you can change the code.

Re:Allow me to introduce you to Mr. Turing...

Throw in one network card, piece of hardware, device driver, or call to a subroutine written by someone who wasn't you or even you on a bad day... and you're back to the halting problem. You can fix an individual loop at the end of the call stack that doesn't do anything interesting (call another function), but such fixing doesn't scale.

I'm used to it

[dogganos]

This god damned code of windows sharing keeps bugging us for years! I've been 10 years net admin at a university with over 25K connected computers, and as long as I remember, port 445 and 139, 137 are always the target!
How bad a code can be??????

IT staff?

[Shotgun]

Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."

The reader xploraiswakco needs to pull his head out of that dark place and realize that my wife doesn't have an IT staff (I refuse to do Windows). I would even dare to say that most people don't have an IT staff at home. It's a stretch, I know, But I'm the kind of guy that takes chances like that.

Does reader xploraiswakco carry an IT staff with him in case he needs to use a wifi hotspot some place?

Re:IT staff?

[trapnest]

You refuse to help your wife with her computer? Why do women marry assholes?

Re:IT staff?

Windows 7 has these ports blocked by default so your wife doesn't need any network staff. (these ports are only open when you have decided to share files, and then only on private (home and business) networks. This means that only computers on those networks might be able to shutdown her computer. Since the exploit doesn't allow remote execution it won't be in a worm so someone on the network has to consciously perform the exploit. Pretty unlikely on non school networks

Re:IT staff?

[BitZtream]

Unfortunately, your wife married an ignorant asshole.

Since Windows 7 has this firewalled safely out of the box for public networks your wife is fortunate.

Of course if you weren't so busy telling every how you're so good at being an unhelpful, inconsiderate dick you'd have spent 3 minutes to do some investigation to know that rather than leaving her to wonder.

Your attitude and low slashdot id leads me to believe that by 'wife' you mean Realdoll since I find it unlikely anyone would stay married to such a worthless jackass.

Re:IT staff?

[Shotgun]

Ok, pisshead .

Windows 7 is firewalled...out of the box even. Unless of course, she wants to USE the functionality that was advertised.

Now, explain to us why me not taking the time to learn an operating system that wasn't fit for the trash bin 10 years ago makes me an "inconsiderate dick"? Why should I spend one more minute on the products of a company that has done nothing but hold back the advancement of personal computing when I have a perfectly good product that cost me nothing and gives me the power to use MY computer the way I want to use MY computer? Why does recommending that she use something that I can support make me a "worthless jackass"? Why would my worth as a husband hinge solely on my willingness to follow the likes of you into being a Microsoft shill?

She bought a Mercedes. I advised against it, because I can't work on it. Mercedes requires a lot of special tools. I bought an Atlas lathe and which she advised against, and she won't work on it with me. She doesn't like to do things mechanical. Am I to assume you'd thing that makes her a worthless asshole? You see, dickwad, out here in the real world, we call that "communication".

Your attitude and familiarity with something called "Realdoll" leads me to believe that you are a smelly, middle-aged loser without a clue how to live in harmony with another person.

Now that we have the ridiculous personal attacks out of the way, let's fall back to discussing the original post that I responded to.

any IT staff worth their pay packet should already have port 139 blocked at the firewall

It would be a valid consideration, except that Windows 7 is foisted on the public through retail channels for a ridiculously high sum of money with no mention that a professional staff is required to use it properly. Luckily, you've let us all know that parts of the system being sold are automatically blocked. In any other industry that is called "not being fit for the use for which it was sold." A less flattering description is false advertisement.

Now you can go back to playing with your Realdoll.

Re:pushing the white button?? what does that mean?

[Tim+C]

No - no white button in Win 7, and even if there were, if the machine has locked-up a UI component wouldn't do much good.

GP is correct, the submitter is trying to be clever.

Feature not a bug

Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

If windows were simple and clean then WINE or other simliar reimplementations would be working perfectly and MS would be out of business by now.

Yet again ...

[daveime]

From NT, XP, Vista, Windows 7 ...

When are they going to learn that EVERY port from 0 - 65535 should be disabled by default, and only enabled if the user chooses ?

Re:Yet again ...

[Toreo+asesino]

They are (disabled by default).

Re:Yet again ...

[YankDownUnder]

Micro$soft, a company worth in excess of $55 billion dollars US, can't possibly be expected to fix something as complex as Micro$oft Windows (insert your version here). C'mon! They've got to eat, party, buy politicians and Texan football team owners...you really think that they'd spend MONEY on fixing something "once and for all"? We must be kind to them, and expect that A COMPANY THAT IS WORTH IN EXCESS OF $55 BILLION DOLLARS US can't afford such a thing as shelling out hard earned (stolen/conned/extorted) money to teams of offshored software engineers to fix such MYSTERIOUS things! Bribery and paying out for lobbyists and greasing palms for copyrights and patents is IMPORTANT ya know...so give them a break! Maybe, MAYBE, someone should just write them a nice little note explaining how they can fix this issue, or write the resolution out for them (hardcopy or in software format) so that they don't have to worry so much and fret so much! Ya know, give them a helping hand, eh? (Sorry, my meds ain't kicked in yet).

Re:Yet again ...

[TheThiefMaster]

The exploit is for an OUTBOUND connection via a malicious link in an email etc. If it was an inbound connection then it really would come under the "yawn" category and be blocked by everyone's firewalls. Very few "home" grade routers / firewalls will block outgoing connections at all, let alone by default, because that is such a pain to manage with the plethora of online games about, all using different outgoing ports.

Re:Yet again ...

What, you want users to write specific policy rules to open a web browser? The exploit refers to outgoing connections.

Re:Yet again ...

[mr+exploiter]

Right... because if one thing we learned from vista is that users like to be asked before the operating systems do every little thing. In other news UAC is great!

Re:Yet again ...

[daveime]

Why not ?

First time the user opens a web browser, he gets a one time message like

"This program will open ports 80 and 443 to connect to the internet, and port 53 to make DNS lookups"

Likewise for e-mail readers, games, etc etc.

It immediately makes even the dumbest user aware that they have "opened a door" to the outside world, and helps them learn about what their PC is doing.

Also, once they get the hang of this, they're perhaps more likely to question when say a PDF reader or whatever wants to phone home.

I don't see why outgoing connections should be any more open than incoming ones ... most of the problems occur when the user downloads something or opens an email attachment, in which case the program is already executing *inside* the firewall ... at least the user would be informed, this [insert-strange-application] here "wants to connect out on some port, are you sure this is okay ?"

Trojans are far far more prevalent than viruses these days.

Re:pushing the white button?? what does that mean?

kdawson is colorblind, man. Don't be such a dick. You and I both know he meant "red button," but he doesn't actually know the difference. There's no reason to get all passive-aggressive Slashdot literalist on him.

Not only is the guy the worst, most inattentive and ill-informed editor on staff but he's visually disabled! Cut the guy a break!

SOL

[Mr.+Foogle]

"As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."

That is awesome advice if you _have_ an IT staff. People with Windows 7 at home who don't have one of those are SOL I suppose.

Re:SOL

Unless they know how to do the outbound blocking on their el-cheapo router/"firewall" brick, they are...

Re:pushing the white button?? what does that mean?

Your ideas intrigue me and I wish to subscribe to your catalogue.

Does this affect Samba

[fast+turtle]

and the Linux Kernel SMB support? If it does, we've got a major problem as they now have a method of taking a whole batch of sites down.

You are clearly not a civil engineer

[Kupfernigk]

I know several civil engineers, and I can tell you your response is rubbish. This exploit requires a reboot. That is a temporary interruption of service. How often do bridges have to be closed because of unforeseen weather conditions, cracking, design errors (London Millennium bridge an example of that)? The answer is, of course, all the time. The closures are needed because of the likelihood of collapse or severe structural damage. A friend of mine is currently sorting out a major dispute between two engineering companies and a government over alleged design errors in a major infrastructure project. I think, to be honest, you are the one who sounds stupid - sounding off with a counter example from an industry you know nothing at all about.

Re:You are clearly not a civil engineer

[siyavash]

You sir, are an idiot.

Re:OMG what if my computer doesnt have a white but

[dontmakemethink]

I protest this wanton racial discrimination! After all, turning off a windows box can only be described as an "affirmative action"!

What's your definition of zero-day exploit?

Zero-day means just that.

What's that? An exploit released today? I couldn't find a single source backing up that definition.

However, there's two definitions I found googling zero day exploit:
A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.
An exploit of a vulnerability for which a security update does not exist.

The exploit was released when the flaw was revealed and there's no fix, so both definitions apply. Perhaps you have some alternate definition of zero-day exploit I haven't heard yet.

Re:What's your definition of zero-day exploit?

I'm a hacker. I do penetration testing for a living.

I break into stuff every day.

A "zero-day" is most commonly meant to define an exploit that does not have a patch and/or has not been recognized by the official vendor of the software.

It more rarely means "an exploit which is not public", or "a vulnerability that has not been exploited" but those are lame and the people who use them should be fired.

Re:OMG what if my computer doesnt have a white but

[Mr_Miagi]

Buy an Apple... Sort of solves two problems, doesn't it?

Re:pushing the white button?? what does that mean?

[flyingfsck]

The White Button is next to the Any Key...

Windows only for corporations, not users

[SuperKendall]

...but what about home users?

It's an admission that home users should not be running WIndows. You'd think a few decades would have been enough to figure that out...

Re:pushing the white button?? what does that mean?

* #3043-P01 Enlarged White Button with face of Steve Ballmer on top. Comes complete with real wood mini hammer and elastic band-powered mini crossbox with safe-tip(TM) arrows (pack of 12 buttons)

Typical Microsoft gotcha. The throwing chairs are sold separately.

I thought this was one of them

I was pretty sure this bug made it into the RTM version of Windows 7 because it was reported so late. In fact, unless they have patched it then it is also a Vista, Server 2k8, and Server 2k8 R2 bug.

http://jpocas.blogspot.com/2009/10/crash-windows-vista-and-later-remotely.html

Re:pushing the white button?? what does that mean?

>GO NORTH

Re:OMG what if my computer doesnt have a white but

[CityZen]

I kind of miss the Big Red Switch. A friend would sometimes say "Oh, that's a BRS error," when describing bugs for which the only solution involved said switch.

What happened to the "default block" policy?

[sgt+scrub]

any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too.

I've always believed that a policy of blocking all traffic except what you explicitly trust is the best policy. Isn't that the policy held most security engineers? When did it change? Anyway. Explicitly trusting UDP 137-139 and TCP 445 traffic to a DMZ is as far as I can go. IMHO 25, 53, 123, 80, 443, 7070, 1935, 554, and 1194 are the only important ones to allow without explicit source/destinations these days. I'm talking about traffic originating from the internal network of course. Inbound traffic should always be restricted to specific destinations or has that changed too?

And the exploit is unpatched on release

And the exploit is unpatched on release, therefore it is a zero-day exploit. It will ALWAYS be a zero-day exploit since at its release it was unpatched and that will remain true for as long as the exploit lives. Just like a boy will remain born a boy for the rest of his life.

At some point the boy will become a man and in the same way this zero day exploit will have been patched.

But it will always remain a zero day exploit no matter what it's age. The zero day exploit is its status at "birth".

yawn

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -Bill Gates, 2007

Gotta Be Said

[macs4all]

"It won't have any problems my previous OS had!" -- 'PC guy' on latest 'Get a Mac' ad

Year of the Linux desktop

[OrangeTide]

I'm pretty sure the whole "year of the linux desktop" will never happen (which is too bad for me, because I'm a professional Linux developer). Although a year of Linux phones is coming pretty quickly, if it's not here already.

Incompetence???

Close to 20 years of this shit, 10 years of focus on it, and they're still spewing out servers that don't do bounds checking on input...

Re:OMG what if my computer doesnt have a white but

use it on the physical button on your case though, not on the button on the screen.

Re:OMG what if my computer doesnt have a white but

[The+Clockwork+Troll]

Three, if you include keeping the doctor away.

I just leaned this in my BS-Info Security at ITT

A zero day exploit is an exploit used (thus available) before it is known (and therefore before a patch exists)

A zero day exploit is a surprise for your security administrator, one that might just ruin his/her day.

Once it has been deployed (and studied) it is no longer zero day.

Once it has been discussed in open forum (like slashdot) it is no longer zero day.

keyword - Surprise!

Re:pushing the white button?? what does that mean?

Perhaps the "white button" is a reference to bowling. On every bowling return I've ever seen, the pin "reset" button is white.

Some mistakes in the articles and comments

[zukinux]

Hello, This advisory had been published at the 9th of September http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html, about a Kernel Crush made by specially crafted SMB packet to port 445. This advisory were published in the begining as Denial-Of-Service but soon people found that it was exploitable! Soon lots of people tried to be the first to create working exploit for the MS09-050 (SMB2). Till then, Microsoft told that un-till an update will be available you can disable SMB2 and not ports 445/139.

Also, CoreImpact had first published an remote exploit PoC to their members at the 17th of Septemeber. Which means that an exploit had been found to subscribers at 17/9!!.
So this article is basically wrong. Anyways, more researchers still tried to create public exploit for it such as http://blog.metasploit.com/2009/10/smb2-351-packets-from-trampoline.html which describes what his way of exploiting this using 351 packets to achieve jump to his code (remote code execution).

So... This article has more than a few points which are not accurate including the "The first windows 7 zero day exploit" title.
Cheers.
Zuk

zero day

I seem to have this issue with Win 7 and Windows Home Server. My machine simply locks up hard when transferring files from the server to computer or from computer to server! They say server 2003 is not affected yet home server is 2003 server modified and producing the exact same issue as described here.. Any other takers on that?

Re:pushing the white button?? what does that mean?

Do they make a model covered in rich Corinthian leather?

Re:pushing the white button?? what does that mean?

[YankDownUnder]

I'm going to start marketing "White Buttons" online, for a small price of $19.95 AUD. If you DO NOT have a "White Button", please contact me for details on how to pre-order your own, personalised and customisable "White Button". I've also applied for a patent and copyright on "White Button", as per M$ standards - so getting a "White Button" from anyone other than myself will result in patent infringement and copyright violation. Even mentioning "White Button" outside of MY context is grounds for legal action. How many "White Buttons" would you care to order today? (Oh yeah, and next week, "White Button v.1.1" will be out and you can upgrade from "White Button v.1" for a small licensing fee of $19.95 AUD)

Re:pushing the white button?? what does that mean?

You are an idiot.

Re:OMG what if my computer doesnt have a white but

[syousef]

What are my options? New computer?

Clearly if it hasn't got a white button and it crashes, it is beyond repair and you will have to buy a new one.

no back port ?

Finally a useful feature in Windows 7. Just wait and see Microsoft refuse to back port this to XP , thus taking the next step in the forced upgrade cycle.

Zero-day

[TangoMargarine]

Is there anybody else who's really tired of hearing everything on Slashdot get labelled a "zero-day exploit?" Correct me if I'm wrong, but by my understanding *most* exploits are zero-day, which basically means "they haven't fixed it yet." The alternative being bugs that have been fixed but are being exploited on machines that haven't been patched yet?

If this is correct (or close), why do we need to label everything "zero-day?" Can't we just assume that unless stated otherwise?"

Disable the service which listens on this port

[TwineLogic]

"sc stop server"
"sc config start=disabled server"

The 'server' service is a Win32 service which provides sharing of files, printers, and CPU registers on port 139. The best solution, beyond firewalling the port in question, is to disable this service unless it is being used. The service itself consumes resources even when not in use, requires a small amount of time during boot-up, etc.

Most home users do not use windows file-sharing or printer-sharing because they are justifiably concerned with the security risks. These uses should disable the "server" service.

Your sig

[mdielmann]

This comment is worded exactly as intended. Any witty "Fixed that for you" jokes will be modded into oblivion.

Fixed that for you. ...and since it was your sig, and not your comment, I'll expect the mods to shower points upon me. Probably negative, but you take what you can get.

Time to delete my ROMs...

[Ryzzen]

The problem is in SMBv2 and SMBv1

A shame, really. And I suppose it'll only be a matter of time before they find a zero-day exploit for Super Mario Bros. v3...

Re:pushing the white button?? what does that mean?

[toddestan]

Maybe he's a Mac user?

16 years enough to test web browsers/environments?

See, that is the thing about the web that kind of gets to me. Nobody looks methodically at everywhere certain things *can* be used. They only look at where they "should" be used.
Here's a shortened list but the thing to really do is just RTFM HTTP & HTML(etc.) specs., for starters, at the grammar/syntax level not "here is how you" level:
- URLs: any URL can be stuck anywhere - IMG tag, A tag, object/embed, ... frames, Ajax call, redirect, etc.; and that means any protocol schem
- MIMETypes: HTTP headers, etc.
- Content: server can send back anything and call it any mime type

And multipart MIME responses are just crazy. Very cautiously look at (as TEXT not HTML or email!!) the contents of a spammed HTML email that contains viruses, and you just want to claw your eyes out afterward Whoever writes some of those really "gets" what the problem is. Unfortunately, they kind of take advantage....
Sometimes web browsers and their interface to the environment seems like the *least* tested part of the computer.

A lot of what is wrong with the web in terms of safety is symptomatic of being non-systematic.
Lots of people have been using the web since 1993 when Mosaic came out but here we are 16 years later still waiting for browsers (and systems they run on, and apps configured as external viewers) to be gone over with a fine tooth comb.

Closing the port DOES NOT HELP AT ALL!

[Hurricane78]

A simple web page can contain that evil URI. And as it already in on the *inside* of the firewall, it is guaranteed to crash the system. With a bit of luck, one can stumble on a site that got some XSS infection, and that thing scans the whole subnet for crashable computers.

Then again, what is the point of simple crashes? No cracker is interested in them. They bring no benefits. They rather want one that acts as if *nothing at all* happened, while being infected.