Slashdot Mirror
The First Windows 7 Zero-Day Exploit
xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."
The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog.
Quote whole sentences...
The author probably confused the browser service - which is for lan filesharing - with a webbrowser. Not that that confusion gives me much faith in the rest of the article; what other "details" are equally mangled?
Even weirder - on a machine which isn't on a domain, but which has a software firewall, you can open *every* port to a destination machine (e.g. a fileserver) and it *will* access the SMB shares of that fileserver (\\ipaddress\c$ etc.) but takes forever the first time because the broadcasts have been blocked by the firewall. So it doesn't need the broadcasts, or to be on that domain, or to do anything that isn't direct IP with the target machine - but it still takes forever to realise that and just start listing files.
And once you've done it once, that file sharing will run at full speed for the rest of the day. I'm imagining some sort of name resolution etc. issue (but the PC in question can actually use the same machine for DNS and still have the problem) but if it's not *required* to connect to the machine, why does it try anyway and hold everything up? And the firewall only ever reports NetBIOS traffic while that's happening.
In my book "zero-day" means that the vulnerability and the first practical exploit were released the same day. "Zero-day" refers to the time the dev team had to correct the bug.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
139 is NETBIOS, 445 is SMB.
139 is used for discovery and browsing of network shares (Primarily on legacy machines), 445 is the "current" port for accessing network shares.
I decided that unlike Vista, I would beta Windows 7 and be ahead of the curve by the time it came out. I've been running it for roughly a year now (midnight snacktime is not condusive to memory) . Overall I am actually quite impressed (gasp! shoot me now). One thing I really like is the granular firewall abilities, which has clearly defined and seperate inbound/outbound rules. I currently have both set to a PIX style ACL type deny all except ports I explicitly state. Now this can be a pain to evaluate a new program to figure out which ports it needs open for proper function, but is definitely something that should be done ona group policy level at the domain, just because you have a supertight internet facing firewall, you still need to prevent LAN and VPN security issues as well.
"It's ok, I'm completely secure as long as my iron is off"
What's so special about 139 and 445? What do they do normally, and why would blocking them help?
Here's a list of assigned port numbers: https://www.arin.net/knowledge/rfc/rfc1700.txt
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.
The Microsoft approach is to collect the money and get their customers to agree that everything that goes wrong is their fault. It's at least as good protection for them as writing decent code and many times cheaper.
I didn't either. The common term was always Big Red Switch. This white button thing has really brought out the trolls, I can't blame them. It doesn't half wind me up that these people have a job and that having a brain disqualifies people from employment these days, God thinking is such a bad thing in the workplace today!!! They'd rather we lolcat the day away and show them nice performace statistics than actually make money for the firm to protect all our incomes. Pride and ego before logic and common sense - welcome to the Noughties.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Port 139, 445, .. aka Netbios port, aka Virus port.
This ports are always closed, if they aren't your system is already infected.
Love many, trust a few, do harm to none.
Since the exploit is possible without any user interaction all it takes to bring down a corporate network is one single machine running the xploit locally. A simple broadcast and every machine running w2kr2 or Vista7 will be dead until someone pulls the plug.
Im also very surprised that Micorosft didnt audit the code properly after the last hole. You would think that the former xploit would ring a couple of bells since it was big enough for a truck to run through. Im beginning to suspect all the talk about SDL, reviews and stuff are nothing but PR.
HTTP/1.1 400
Your point being what?
That GP was simply stating that you can get equivalent functionality to current Windows versions using less code then what exists in those current Windows versions. They then extrapolated the usual (but not always) truth that less code equals less vulnerabilities given approximately equivalent quality.
We're talking about exploits in the wild. If the developers or security researchers discover the bug and patch it before any malicious third party does, there you go. This is very frequently the case, which is why you see so many stories about exploits being crafted by reverse-engineering vendor patches.
If you're going to be a little sarcastic douchebag, at least be right about something.
Simple: malware writer downloads the patch for $SOFTWARE, reverse-engineers it, understands the bug and creates the malware. If he is fast, there is still a large number of vulnerable machines around that it is worth it, and is a much cheaper than finding the bug, which generally involves having an illegal peek at the code or very good intuition.
And BTW your repeated references to the movie are not making you look a geek, more like a wannabe that does not know the first thing.
The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.
If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.
From NT, XP, Vista, Windows 7 ...
When are they going to learn that EVERY port from 0 - 65535 should be disabled by default, and only enabled if the user chooses ?
I think he was being a little tongue in cheek there. The fact is, wikipedia is good enough in most instances. But you don't have to take wiki's word for it. Here's what dictionary.com says in regards to zero-day: "pertaining to a program that exploits a computer security vulnerability before security experts can address it" so there you have it.
Three days from now?? Thats tomorrow!! ~Peter Griffin
Don't they do code reviews at Microsoft?
Yes they do.
Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.
"Terminates under all conditions" is a little difficult to prove in any non-trivial situation.
Seriously, that's the difference between a hacker and a software engineer right there.
The former bitches and moans on Slashdot, and Microsoft hires the latter?
If you don't take the time to fix it early, you'll just have to fix it later.
Maybe you should send Microsoft your perfect coding technique that won't possibly have exploits. Since you seem to have all the secrets of software nailed down. I'm sure Microsoft would love to see it.
Comment of the year
You're just being idiotic now.
Here's an easy, plain vanilla example for you to understand:
Firefox releases Firefox 4.0. In the patchnotes they say "- Found and fixed a bug allowing a website to catch your computer on fire.".
Some anxious teenager reads that and says "Holy shit! I bet a lot of people haven't upgraded yet. I'm off to craft up an exploit . . .". A week later he has it ready.
Millions of computers smolder in ruin. Most importantly though, the fix was available BEFORE the exploit was, and therefore it was not 0-day. End of story.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
And the exploit is unpatched on release, therefore it is a zero-day exploit. It will ALWAYS be a zero-day exploit since at its release it was unpatched and that will remain true for as long as the exploit lives. Just like a boy will remain born a boy for the rest of his life.
At some point the boy will become a man and in the same way this zero day exploit will have been patched.
But it will always remain a zero day exploit no matter what it's age. The zero day exploit is its status at "birth".