Slashdot Mirror
The First Windows 7 Zero-Day Exploit
xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."
The author probably confused the browser service - which is for lan filesharing - with a webbrowser. Not that that confusion gives me much faith in the rest of the article; what other "details" are equally mangled?
Even weirder - on a machine which isn't on a domain, but which has a software firewall, you can open *every* port to a destination machine (e.g. a fileserver) and it *will* access the SMB shares of that fileserver (\\ipaddress\c$ etc.) but takes forever the first time because the broadcasts have been blocked by the firewall. So it doesn't need the broadcasts, or to be on that domain, or to do anything that isn't direct IP with the target machine - but it still takes forever to realise that and just start listing files.
And once you've done it once, that file sharing will run at full speed for the rest of the day. I'm imagining some sort of name resolution etc. issue (but the PC in question can actually use the same machine for DNS and still have the problem) but if it's not *required* to connect to the machine, why does it try anyway and hold everything up? And the firewall only ever reports NetBIOS traffic while that's happening.
139 is NETBIOS, 445 is SMB.
139 is used for discovery and browsing of network shares (Primarily on legacy machines), 445 is the "current" port for accessing network shares.
What's so special about 139 and 445? What do they do normally, and why would blocking them help?
Here's a list of assigned port numbers: https://www.arin.net/knowledge/rfc/rfc1700.txt
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.
In the case of an exploit floating about in the wild where there has been no patch made available is a zero day because I have had zero days to patch my systems before the potential for easy exploitation.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.
If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.