The First Windows 7 Zero-Day Exploit

xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."

OMG what if my computer doesnt have a white button

What are my options? New computer?

How is this zero-day?

[DNS-and-BIND]

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday

OK the exploit is almost a week old already. How is this "zero-day"? In the immortal words of Inigo Montoya: "You keep using that word. I do not think it means what you think it means."

Re:How is this zero-day?

[DMiax]

Nope! It's the number of days between the release date and today.

I find little use in a definition that depends on today's date. Especially because I can read articles from saturday and they will call it 3-day, which gives me no information.

A zero-day exploit is one that is created before a fix is available. It is more severe than others because no version of the target software is safe, even if it is constantly updated. Any security expert knows the implications of this, and how to take it into account when assessing the risks.

Why are ports 139 and 445 still open?

[concernedadmin]

I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?

Ball kicking time

[Rogerborg]

Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.

Secured by Default

[Toreo+asesino]

Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.

pushing the white button?? what does that mean?

[DigitalReverend]

The summary states "A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button."

I checked all the Windows machines here. None of them have a white button on them anywhere. What does this mean? Does the poster just mean powering the machine off and then on again?

Too many times on Slashdot, when people should be informative, they obfuscate the information it in failed attempts at being clever.

Terrifyingly potent

[Sockatume]

A maliciously crafted URI could hard-crash affected machines beyond any remedy

Oh no! A PC-killer!

besides pushing the white button

A reboot? Well, it's an unorthodox and extreme solution to a machine crashing, we'll have a hard time convincing Windows users to do that.

Re:buttons

[BrightSpark]

Does it have Digital or DG written on it too? Happy days. From the time when a cluster was better than a cloud? When computers were "managed" by people who knew how they worked and who knew Netbios was for something only a friend would share (with another friend). If you wanted a file over a network you sent a request to the Operator for a kind lady to haul your disc pack to the big washing machine thingy and mount it for you. Promotion meant getting system privileges like clearing your own printer queue. Goodbye PDP-11. Mourn not for AOS-VS II. Farewell DG/UX. No more CLI. Welcome to the nouveau "geek" who needs to know why it's bad to have port 139 open but kicks ass in Gears 2. To quote Ripley from "Aliens", "Did IQs suddenly drop while I was gone?"

Re:pushing the white button?? what does that mean?

[Linker3000]

#3043-001 USB White Button Kit........34.99 + Shipping

Ideal for computers not shipped by the manufacturer with a White Button pre-installed.

A White Button is essential for all Windows Users. Upon a system failure, Denial of Service attack or crash, pressing the White Button releases a scientifically-formulated, airborne scent of soothing essential oil fragrances, including: Verbena, Sweet Orange, Roman Camomile and Ylang Ylag.

At the same time, one of a number of pre-programmed actions are triggered while you listen to a random selection of 10 relaxing 'mood music' tracks.

Basic actions include:

1) Reboot
2) Call my IT Support department
3) Call the manufacturer's support department and cancel my evening dinner arrangements
4) Reinstall current OS
5) Reinstall current OS after backing up all user data
6) Wipe and install CentOS
7) Wipe and install Ubuntu
8) Order me a Mac
9) Order me a Big Mac, fries and a Coke

Secondary actions can also be triggered from:

A) Call Microsoft HQ every 'x' minutes and shout 'Fuck it' down the line.
B) Post my CV to Linux-only job sites
C) Rub my shoulders (Requires optional add-on #RS01)
D) Dial local suicide help line

A deluxe version of this item is available (#3043-002, 139.99 + Shipping). This model includes an external 10" LCD panel that can display random pages from a number of Web sites (slashdot.org, fark.com, silicon.com, cloudappreciationsociety.org and todaysbigfail.com)

Extras and consumables:

* #3043-S01 Replacement aromatherapy scent cartridge - pack of 12
* #3043-S02 Replacement mustard gas scent cartridge sold singly, no returns
* #3043-M01 Extended play music ROM - an extra 4 hours of music (for Dell Support customers)
* #3043-P01 Enlarged White Button with face of Steve Ballmer on top. Comes complete with real wood mini hammer and elastic band-powered mini crossbox with safe-tip(TM) arrows (pack of 12 buttons)

Re:Are you trolling?

[DarkOx]

I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.

In the case of an exploit floating about in the wild where there has been no patch made available is a zero day because I have had zero days to patch my systems before the potential for easy exploitation.

You need to block *outgoing* ports

[WD]

The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.

If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.