Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Won't Patch 20-Yr-Old SMBv1 Vulnerability (You Should Just Turn the Service Off) (onmsft.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a news post: Following the recent WannaCry and Petya ransomware attacks, Microsoft recommended all Windows 10 users to remove the unused but vulnerable SMBv1 file sharing protocol from their PCs. This is because both variants of the ransomware actually used the same SMBv1 exploit to replicate through network systems, even though it seems that Petya mostly affected Windows PCs in Ukraine. Anyway, if you haven't turned off the protocol on the PC already, you really should: Not only because new WannaCry/Petya variants could once again use the same vulnerability again to encrypt your files, but because another 20-year-old flaw has just been unveiled during the recent DEF CON hacker conference. The SMB security flaw called "SMBLoris" was discovered by security researchers at RiskSense, who explained that it can lead to DoS attacks affecting every version of the SMB protocol and all versions of Windows since Windows 2000. More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.

131 comments

  1. why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 5, Insightful

    Why doesn't Microsoft patch the OS so that SMB1 is disabled entirely? I mean MS already shoves all sorts of crap down your throat anyways, why can't that unshove shit?

    1. Re: why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      I can atest to this. My father was able to get his Windows 10 rooted and got a bunch of viruses. So much for more secure.

    2. Re:why was SMB1 still enabled 20 years later? by suutar · · Score: 3, Informative

      Planned for Windows 10 Fall Creators Update, according to TFA

    3. Re: why was SMB1 still enabled 20 years later? by Dog-Cow · · Score: 1

      Is that when he asked you to stop "helping" him?

    4. Re:why was SMB1 still enabled 20 years later? by The+MAZZTer · · Score: 2

      Probably because some third-party apps still use it. Google recently released an app for Android which provides SMB client functionality. Guess what? It only supported SMB1. This was released AFTER the SMB1 deprecation announcement. Since then they did update the app with modern SMB support.

    5. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      Why doesn't Microsoft patch the OS so that SMB1 is disabled entirely? I mean MS already shoves all sorts of crap down your throat anyways, why can't that unshove shit?

      2 words: "backwards compatibility"

      Got it?

    6. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      "why was SMB1 still enabled 20 years later?"

      Because SMB2 did not exist until Vista. Which was only released ten years ago.

    7. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      Because SMB1 is faster (latency-wise) and more reliable than SMB2/3 when using certain fileserver-based database applications (DBase, Clipper etc.). We still use SMB1 on our production networks, due to that reason. We don't need to fear Petya, because we don't leak SMB1 (and SMB2) to the open Intenret. When MS finally pulls the plug on SMB1, we're going Linux/Samba.

    8. Re:why was SMB1 still enabled 20 years later? by arglebargle_xiv · · Score: 1

      It's not just SMBv1, it's any version. Only way to stop this one is to firewall off all the SMB ports.

      Oh, and given its scope, I think MS will have to patch this one, just not on XP or older. Unless some government pays them a lot of money to do so.

    9. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      So if something manages to get onto a single box or device on your internal network, you're pwn'd? Yeah, definitely no need to fear it. Remain complacent!

    10. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      Because you might actually need it for backwards compatibility with some old devices...
      On the other hand, there is absolutely no excuse for any version of SMB to be enabled by default.

    11. Re:why was SMB1 still enabled 20 years later? by pnutjam · · Score: 1

      What's the app?

      --
      Cheap storage VM.
    12. Re:why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 0

      As an electrician who purposely leaves infected jump drives in every business I visit, because it's hilarious, I disagree.

  2. So when will HP upgrade? by GerbilSoft · · Score: 5, Interesting

    Most of HP's multi-function printers with Scan To Network only support SMB1. When will they issue a firmware update that adds support for SMB2?

    1. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      It's a DoS attack. Most people couldn't give the slightest shit. Including me.

    2. Re:So when will HP upgrade? by DigiShaman · · Score: 2

      EOL means SOL. OTOH, sales are about to increase at HP.

      In other news, recycling facilitates that haul off e-waste are about to get an influx in obsolete equipment.

      Hey, don't hate me, I'm just the messenger.

      --
      Life is not for the lazy.
    3. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      It's HP they want you to buy a new device.

    4. Re:So when will HP upgrade? by nine-times · · Score: 2

      It's not just HP. It's a bunch of equipment-- some of it not even that old.

      Oh well. You'll have to buy a new one.

    5. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Set up a SMB1 server specifically for your printer to access. Set your firewall to allow only your printer to access it.

    6. Re:So when will HP upgrade? by OhPlz · · Score: 4, Informative

      This is why you don't buy hardware from HP.

    7. Re:So when will HP upgrade? by sexconker · · Score: 1

      I have backup software that only works with SMB1.
      Game over.

    8. Re:So when will HP upgrade? by AmiMoJo · · Score: 4, Funny

      Also, thanks to TFA for providing instructions on how to disable SMB1.

      Also why the hell does Windows have Super Mario Brothers 1 and 2 built in?!?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:So when will HP upgrade? by omnichad · · Score: 1

      Good luck getting your scans back off the server.

    10. Re:So when will HP upgrade? by rphenix · · Score: 1

      What amazes me is you can buy page-wide business printers right now that still have the vulnerability.

    11. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Run your backups over a VPN or even a physical private network. I've done backups to insecure NFS using an Ethernet crossover cable directly from a file server box to a backup server box. How hard could it be.

    12. Re:So when will HP upgrade? by Anonymous Coward · · Score: 1

      Because it's so very hard to write a script that copies your scans from the SMB1 drop box to a more convenient place.

      Downhill, slashdot has fallen. Morons, all.

    13. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      You[and everyone] need proper network segmentation and controls to mitigate threats like this. This is not the only unpatchable security issue we've seen or the last one to come up.

    14. Re:So when will HP upgrade? by Anonymous Coward · · Score: 5, Insightful

      Or operating systems from MS.

    15. Re:So when will HP upgrade? by omnichad · · Score: 1

      The Firewall is set to not allow packets between that server and anywhere else. Good luck getting the script to get around that.

    16. Re:So when will HP upgrade? by Shotgun · · Score: 1

      Good luck when your datacenter loses power.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    17. Re:So when will HP upgrade? by MachineShedFred · · Score: 1

      What is this, 1996? Block all or nothing? How hard is it to figure out that he meant to only allow SMBv1 between the printer and this host, and then this host allows literally ANY OTHER PROTOCOL in order to connect and get the scanned images?

      Never heard of setting up a print server to talk to some old pile of shit that still serves the purpose of putting ink / toner to paper, but uses outdated interfaces or protocols? It's the exact same thing.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    18. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Spotted the retard.

    19. Re:So when will HP upgrade? by tlhIngan · · Score: 1

      Most of HP's multi-function printers with Scan To Network only support SMB1. When will they issue a firmware update that adds support for SMB2?

      Use "Scan to email" instead. Scan to Network just seemed to be a waste of time, filling a folder with scan_**** files as people scanned them and left them there instead of deleting it. Scan to email is similar, but it just emails you the PDFs

    20. Re:So when will HP upgrade? by karnal · · Score: 1

      Why would I buy another HP if they refused to help once? Plenty of fish in the sea (not that there might be a better option...)

      --
      Karnal
    21. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Because you are the product.

    22. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      It's almost as if people feel like they can go full retard because Internet.

    23. Re: So when will HP upgrade? by Anonymous Coward · · Score: 0

      By luck you mean bateries and or generator?
       

    24. Re:So when will HP upgrade? by Strider- · · Score: 1

      On the setup I used, you'd pick your username, and your scans would be dropped into a folder in your home directory. Easy peasy.

      --
      ...si hoc legere nimium eruditionis habes...
    25. Re:So when will HP upgrade? by Dog-Cow · · Score: 2

      Is there any universe in which loss of power is relevant to setting up a special server to talk to old hardware? Or do you just spout random shit as a vocation?

    26. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      There are many industries were scan to email would be a very very bad idea. Do you want your bank to implement this solution?

    27. Re:So when will HP upgrade? by Wolfrider · · Score: 1

      > I have backup software that only works with SMB1.

      --Past time to change backup software. If you need it to work with XP, current AOMEI and Acronis circa 9.1 should do the job. If you have more specific requirements, you owe it to your own personal security to look around for something else to replace software that is obviously outdated and insecure.

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    28. Re: So when will HP upgrade? by sexconker · · Score: 1

      When our data center loses power, it is pure luck if the UPS works, the generator kicks on, and cooling stays on.

    29. Re:So when will HP upgrade? by sexconker · · Score: 1

      It's Acronis. Acronis vmProtect / Acronis Backup for VMware (they changed the name). The new version (which we don't have a license for) is called something else.

      I found out that Acronis requires SMB1 by disabling SMB1 and then having all hell break lose with the backups until I reenabled SMB1 on that server.

    30. Re:So when will HP upgrade? by Wolfrider · · Score: 1

      --Try checking out Veeam Endpoint backup, they just released Version: 2.0.0.700 on May 11:

      https://www.veeam.com/windows-...

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    31. Re:So when will HP upgrade? by omnichad · · Score: 1

      Well, my response was to someone who literally said "Set your firewall to allow only your printer to access it."

      Whatever is possible isn't really relevant.

    32. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      > I have backup software that only works with SMB1.

      --Past time to change backup software. If you need it to work with XP, current AOMEI and Acronis circa 9.1 should do the job. If you have more specific requirements, you owe it to your own personal security to look around for something else to replace software that is obviously outdated and insecure.

      "If it ain't broken, don't fix it," if it's obsoleted, it's NOT broken.
      I was walking by a New York / NJ transit kiosk today and was greeted by an in-progress white-background (!) boot screen... from Windows *2000*. I hadn't seen one of those on a business since a very late migration from Windows 2000 SP4 to XP back in 2006 at a public community college in New York (which happened just around the corner from the official Windows Vista release.)

      I had to mentally double check whether XP was newer or older than 2000, and had to smile. The audacity of the transit authorities for raising prices every 18 months when clearly these software costs are still amortized long ago with a 15+ year old product when even the newer version has been out of Extra / Extra Extended Support to most government agencies for more than a couple years now... ... So if the big shots can do it so shamelessly, we can't just go around asking people to pay the big bucks just to fill some checkboxes when the security industry is so under-rated. We're a looong way from reliable, secure, fine-able levels of trust that are placed on industries such as building
      / bridge engineering and medicine

    33. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Better to use something bare metal and open source like Redo Backup & Recovery.

    34. Re:So when will HP upgrade? by sexconker · · Score: 1

      We're scheduled to buy new licenses for Acronis and I'm sick of some of the bullshit, so Veeam is being considered. I think they're cheaper with our contracts, too.

    35. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      With the breadth of backup strategies these days, there's little (good) reason to use something like SMB.

    36. Re:So when will HP upgrade? by jabuzz · · Score: 1

      That's fine because my backup that works like that is connected via single mode fibre and they are about 1km apart :-)

    37. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Or operating systems from MS.

      ^ This

    38. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Or just run a linux server with samba, which contains an implementation of SMBv1 which doesn't contain these known flaws.

    39. Re:So when will HP upgrade? by DigiShaman · · Score: 1

      Depends. Would an other company provide the same level of support post a product past EOL? If so, then you have your answer.

      With regards to specifically this problem of SMB1 compatibility, I did run into that issue with a Toshiba multi-function printer once I replaced their old Windows SBS 2003 server with a Server Essentials 2016 box. The printer was still under support contact, and in fact there was a firmware update available for it. Sure enough, I can scan to a folder via SMB again. But on a personal rant, I really hate the Toshiba web configuration UI; It's dated and the layout sucks balls. Everything is scattered all over the place. But, at the end of the day, the work well. Take that for what you will.

      --
      Life is not for the lazy.
    40. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      I think it was to increase the OS size back in the Windows 3.11 days. Switching between all those disks made it hard enough to successfully install the OS, can you imagine the amount of effort required to copy it without getting a disk read error?

    41. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      Never, obviously. HP doesn't do firmware (or even driver, usually, if more than 6 months or so old) updates for printers. Certainly never for printers that are older than the current service pack (i.e. Win10 semiannual release).

    42. Re:So when will HP upgrade? by Anonymous Coward · · Score: 0

      I suppose you can set up an "email server" one cable down the printer, receive these emails and scrap them to put the files on an SMBv2 file server.
      That's completely ridiculous but might be easier than getting a scanner to run under linux?

    43. Re: So when will HP upgrade? by Bengie · · Score: 1

      Is it really a datacenter? Are you sure it's not just a bunch of servers in a large lavatory closet?

    44. Re: So when will HP upgrade? by sexconker · · Score: 1

      Yes it is, unfortunately.

      1 UPS unit (of 2) has gremlins, so if you're on that one only you're screwed. If you're gear is on both you're okay until thermal protection kicks in. The people who run the data center don't run the building and can't force the HVAC back on when utility power is restored.

    45. Re:So when will HP upgrade? by terjeber · · Score: 1

      Well, it's often practical to turn on your brain before you start throwing ignorant nonsense around in a public forum... or?

    46. Re:So when will HP upgrade? by terjeber · · Score: 1

      Were you born retarded or did you grow into it?

    47. Re:So when will HP upgrade? by omnichad · · Score: 1

      So go ahead and do it. I was pointing out how stupid they were with sarcasm (illustrating the absurdity of allowing the SMB server to only connect to the printer). That joke clearly flew over your head too.

  3. New Lamest Vendor found by Anonymous Coward · · Score: 0

    Looks like the Pwnie Awards for "Lamest Vendor" was given to the wrong "vendor". Wilfully leaving millions of people open to an exploit that is in active use is just beyond lame.

    1. Re:New Lamest Vendor found by BronsCon · · Score: 1

      On an otherwise air-gapped network which receives periodic functionality and security updates via local WSUS, SMB1 might be perfectly safe to use. In fact, there are a great many instances where SMB1 might not pose a problem, and many of them involve expensive equipment that only speaks SMB1. Why would MS push an update to piss of the majority of medium-to-large businesses, who are the typical users of such equipment and configurations?

      Those are the only users they seem to care about not pissing off right now.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re: New Lamest Vendor found by Anonymous Coward · · Score: 0

      You know the diference between windows sysadmin and a unix one?
      With windows you invest hours turning off crap you don't need, with unix you spent them activating shit you need.
      That's all.

    3. Re:New Lamest Vendor found by TheRealMindChild · · Score: 1

      It has happened before. Microsoft will choose backward compatibility over security at any day of the week. There was a exploitable flaw in NT4 with DCOM that they wouldn't patch because it would fundamentally change how things worked. Your option is to keep it, or move to something else. Same with this SMB1 crap. If you need it, it is there. But it is old and decrepit and not even MS wants to touch it. Move on.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    4. Re: New Lamest Vendor found by Anonymous Coward · · Score: 0

      Except all those systemd components that have to be turned off.

    5. Re: New Lamest Vendor found by Anonymous Coward · · Score: 0

      Invest hours turning off crap? You're doing it wrong.
      Write a simple script (ie VBScript, PowerShell, etc) or even the good old batch file in windows which disables stuff you don't need and apply it to all of your endpoints. You can do it in less than 20 minutes even if you have more than 3,000 endpoints.

    6. Re: New Lamest Vendor found by Anonymous Coward · · Score: 0

      You will still spend hours figuring out what isn't needed. And rolling back things that somehow are needed. Like SMBv1 because some software requires it :(

    7. Re: New Lamest Vendor found by BronsCon · · Score: 1

      Or you just turn it all off via script as part of the install process; then you're at the same point you'd be at with a fresh Linux install. From there, regardless of platform, you still have to figure out what needs turned on.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  4. Windows server to its knees? by Anonymous Coward · · Score: 0

    More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.

    Well, isn't your run of the mill screen saver enough to do that?

  5. In other words by whitlocktj · · Score: 1

    You shouldn't use outdated standards. I thought this was already decided. Let me go update my router so that it'll fix a bug in WEP. That'll make it secure.

  6. Re:You weren't born gay. God doesn't make mistakes by Anonymous Coward · · Score: 0

    looks like god made 1 mistake...

  7. Slowloris for SMB? by Anonymous Coward · · Score: 0

    Apache has the same vulnerability and they never really came up with a good fix for it.

    1. Re: Slowloris for SMB? by Anonymous Coward · · Score: 0

      Apart from the event MPM and additional timeouts, you mean?

  8. Fake Rage by rewardian · · Score: 1

    Like Robert Graham describes in http://blog.erratasec.com/2017..., it's a type of attack that can be perpetrated against any service on the internet.

    Solutions:
    - Build a proxy service (per the article) that parses input before passing it to $SERVICE.
    - Do not put it on the internet (i.e. firewall).

    Is SMB open by default in Windows Firewall anyway? If anything, pooh-pooh Redmond for that. I know, I know, millions of affected hosts.

    1. Re:Fake Rage by omnichad · · Score: 1

      Build a proxy service (per the article) that parses input before passing it to $SERVICE.

      Sounds like a job for a Firewall/UTM to handle for you. Of course those don't usually protect much from internal traffic.

    2. Re:Fake Rage by rewardian · · Score: 1

      I agree, an intelligent firewall or IPS should be able to handle this sort of attack. Reductive and higher level, HAProxy (etc.) could handle this. Perhaps I'm naive on internal traffic element, but if you protect the gateways into your system I'd monitor that traffic at most.

  9. my two cents... by Anonymous Coward · · Score: 0

    They should just send an update that disables it for all users. It would have to be no more a pain due to the repercussions of not disabling it.

    Seriously though, there is an awful lot of questionable things (to me) that Microsoft does on a regular basis. But doing something like this would be A super inconvenient, and B, force a lot of other vendors to up their standards as well (pun potentially intended).

    I couldn't see the move as any more disastrous as entire hospitals going offline... I dunno, this is just one guys opinion... flame away!

    1. Re:my two cents... by BronsCon · · Score: 3, Insightful

      I couldn't see the move as any more disastrous as entire hospitals going offline...

      What, pray tell, do you think happens when the whole reason the hospital has SMB1 enabled on its systems in the first place is to talk to multi-hundred-thousand- and multi-million-dollar pieces of medical equipment (think MRI and such) that don't speak SMB2?

      Therein lies the rub.

      Yes, those machines should be on an air-gapped network shared only with the workstations used to control and operate them. No, the vendors of those machines will not allow that because they want realtime monitoring of the equipment. Blame those vendors for Microsoft really not being able to do anything about this; it's not like hospitals can say "fine, if you won't sell us a more up-to-date MRI we just won't have one at all", they'd face liability for not utilizing every available means of diagnosis and treatment.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    2. Re:my two cents... by Anonymous Coward · · Score: 0

      You have never heard of VLANs have you?

    3. Re:my two cents... by BronsCon · · Score: 2

      VLANs aren't a perfect solution, switch firmware can potentially be exploited and we're talking about potentially life-and-death critical infrastructure. Beyond that, if the vendors want the equipment on the public internet (which they do, which you'd understand had you read my entire post before spouting off), VLANs aren't really a solution.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    4. Re: my two cents... by Spliffster · · Score: 2

      I work in a hospital and you are right. Multi million dollar FDA approved equipment is slow to get updates. The larger the company the worse the service (I am looking at you GE). However, MRIs should talk DICOM and not SMB. SMB would be a very stupid option!

    5. Re: my two cents... by BronsCon · · Score: 2

      My point was that there is plenty of equipment in use today (mostly high-end and expensive printers) which, of the file transfer protocols Windows speaks natively, only speak SMB1, and that the fault for those systems being online often lies with vendors, while the fault for those systems being misconfigured and the network they are on being vulnerable often lies with the IT department. I framed my argument in terms of a hospital because that's what I was replying to.

      And you should know that many hospitals do use printers affected by this.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    6. Re:my two cents... by Anonymous Coward · · Score: 0

      SMBv1 is an optional feature that can be disabled.

      It is enabled by default, but that should no longer be the case given its age and security issues.

      They cannot removing it without breaking things (for some people), but they can remove it as a default in the next version of Windows Server---which they absolutely should do.

    7. Re: my two cents... by Anonymous Coward · · Score: 0

      Relax. The parent poster agreed with your overall point and offered a slight clarification.

    8. Re:my two cents... by painandgreed · · Score: 1

      Yes, those machines should be on an air-gapped network shared only with the workstations used to control and operate them.

      Sure. Let's forget the PACS systems, the Radiologists's workstations, the research workstations, the various long term storages, medical records, the file room, transfer systems to other hospitals, etc. The size of radiological files for things like CTs and MRIs is too large to deal with sneakernet in the normal workflow. Nevermind who knows how many corner cases such as downtime workflows. Even CR and DR are a pain in the ass these days and being phased out for wireless transfer and those are just plain films. YOu might as well talk about air gapping the different nodes of your Beowulf cluster from each other.

    9. Re:my two cents... by painandgreed · · Score: 1

      Let's not forget the RIS and HIS coming from the other direction. You really don't want techs having to wait till they finish manually entering in all the patient and exam data before they can start some exam, and then hoping nothing is wrong.

    10. Re:my two cents... by BronsCon · · Score: 1

      And that attitude is why hospitals are easy targets for ransomware. Enjoy your infection while I treat my own.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  10. Ummmmm Link for how to turn it off? by A10Mechanic · · Score: 5, Informative

    https://support.microsoft.com/...

    1. Re:Ummmmm Link for how to turn it off? by sexconker · · Score: 4, Informative

      Keep in mind there's a server component and a client component (regardless of whether or not you have a "server" OS), and you probably want to disable both.

  11. People still USE SMBv1 by CanEHdian · · Score: 1

    Because SMBv2 on android is apparently still difficult. With ES File Explorer, you need to install some crappy game to get SMBv2 support and it's spotty at best. Not everyone likes to run a streaming server (that actually have client-like, full screen interfaces), just have a share or two and access it via SMB from all kinds of devices. Maybe there'll be a Windows port of SAMBA to use a non-vulnerable version of SMBv1.

    --
    When the copyright term is "forever minus a day", live every day like it's the last.
    1. Re:People still USE SMBv1 by BronsCon · · Score: 3, Informative

      The SMB1 protocol is vulnerable. An implementation lacking the vulnerability would be incomplete and, likely, nonfunctional.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  12. It's easy enough to turn off via group policy by cyber-vandal · · Score: 1

    The trouble is that lots of software still requires it. Probably why MS don't turn it off via an update.

    1. Re:It's easy enough to turn off via group policy by suutar · · Score: 1

      They're planning to turn it off in Windows 10 Fall Creators Update according to TFA. I guess they've had enough of it.

    2. Re:It's easy enough to turn off via group policy by Trax3001BBS · · Score: 1

      They're planning to turn it off in Windows 10 Fall Creators Update according to TFA. I guess they've had enough of it.

      Why I paid the extra for Pro. This disabling of gpedit.msc (group editor) has been planned for the normal Windows 10 user since it's first release.

    3. Re:It's easy enough to turn off via group policy by Anonymous Coward · · Score: 0

      Huh? gpedit has never been there for Home-level Windows, at least in a form accessible to users. That's why many MS tweaks have both a gpedit method (for Pro and up) and a registry hack (for Home).

  13. Ususal crap by volodymyrbiryuk · · Score: 1

    Remove it just to see it reappear after the next windows update.

    --
    sudo rm -r -f --no-preserve-root /
    1. Re:Ususal crap by Trax3001BBS · · Score: 1

      Remove it just to see it reappear after the next windows update.

      So much support in such a small space. After an update I run %temp%, if I'm not taken to c:\temp I have to assume everything else has been re-rolled as well.

  14. all versions by MSG · · Score: 1

    By "the service" do you mean SMB? The threat is descirbed as affecting all versions of SMB, but nearly all of the tech writers describing the bug are suggesting turning off SMBv1. Is no one actually paying attention to what the authors are saying, or am I missing something?

    1. Re:all versions by E-Rock · · Score: 1

      Can you post where SMBLoris works on SBMv2 or v3? I haven't seen that, but the reporting has been pretty vague. Still you should remove (not just disable) SMBv1 where you can and block all inbound SMB traffic except where needed.

    2. Re:all versions by MSG · · Score: 1

      https://threatpost.com/windows...

      "The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000."

    3. Re:all versions by MSG · · Score: 1

      ...and also:

      https://www.theregister.co.uk/...

      "According to Microsoft's SMB supremo Ned Pyle, SMBLoris affects all versions of SMB â" not v1 as first thought"

      Though it's not clear who "first thought" that. The authors were pretty clear that "it can lead to DoS attacks affecting every version of the SMB protocol." That's quoted from the slashdot summary, which is what makes it so very odd that the editors or the submitter spent most of the text of the summary talking about disabling SMBv1, which is in no way a mitigation for this attack.

      It's as if "disable SMBv1" has simply become a knee-jerk reaction to SMB bugs, and people are no longer listening to the details of new attacks.

    4. Re:all versions by E-Rock · · Score: 1

      Thanks, I hope we get a patch for SMBv2/3 even if they declare SMBv1 dead.

    5. Re:all versions by Shimbo · · Score: 1

      It's as if "disable SMBv1" has simply become a knee-jerk reaction to SMB bugs, and people are no longer listening to the details of new attacks.

      “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

      Looks like Microsoft didn't get their story straight at first.

  15. " Javascript is disabled" by Anonymous Coward · · Score: 0

    "Please enable javascript and refresh the page"

    Wankers

  16. There's a patch for this. by stooo · · Score: 1, Insightful

    There's a patch for this.
    https://linuxmint.com/download...

    --
    aaaaaaa
  17. Turning it on again by xushi · · Score: 1

    Won't this leave all Windows machines vulnerable to any other exploit that would gain access to the device, potentially turn it on again, and allow the ransomware to do its damage?

    It would be better to remove SMB1 support entirely, or patch it if that's too difficult for MS.

    1. Re:Turning it on again by Anonymous Coward · · Score: 0

      It would be better to remove SMB1 support entirely, or patch it if that's too difficult for MS.

      Apparently the flaw lies in the protocol itself, which means that it's likely independent of implementation and thus not fixable because any fix would probably break the protocol in such a way as to make it non-functional in which case you might as well not use it at all.

  18. Re:You weren't born gay. God doesn't make mistakes by Anonymous Coward · · Score: 0

    Fuck off, there's a good scumbag.

  19. Microsoft list of SMB1 products by Traf-O-Data-Hater · · Score: 4, Informative

    Agreed, there is a huge lot of older but still functional equipment that only talks SMB1. Microsoft has put together this list, and it surely isn't everything: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

  20. You missed the patch for systemd. by jimtheowl · · Score: 2, Insightful

    https://www.freebsd.org/

  21. Stuck supporting it because of OS X. by aaarrrgggh · · Score: 3, Informative

    OS X still has such miserable SMB client we are stuck with SMB1/CIFS to maintain some semblance of reliability and speed.

    1. Re:Stuck supporting it because of OS X. by aaarrrgggh · · Score: 1

      Actually, after breaking down and trying to get the thing to work it looks like it might just have terrible default values for caching and asynchronous transfer...

  22. Easy solution many ways... apk by Anonymous Coward · · Score: 0

    See subject & for the solution - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SERVER, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SERVER, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    ---

    Disable SMBv1 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto

    ---

    * The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

    (THIS HAS BEEN PATCHED but you can protect this way too & it works...)

    Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

    APK

    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

    That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk

  23. Screw services.msc use Autoruns to disable by Trax3001BBS · · Score: 1

    There is a switch and service to disable User Experience (not send into to MS). This does nothing, one must disable them in the Task Options.

    No remote access is the same way

    Autoruns https://docs.microsoft.com/en-... allows you a one click to stop method. BUT could take many areas the same programs is turned off - I have always disabled "Windows Mail" I've 0 use for it. It must take some 20 disables - there obvious.

    SMB is a one stop area.

  24. Re:At least those Windows systems boot fine... by Trax3001BBS · · Score: 1

    Well, for what it's worth, at least the Windows systems described in the summary manage to boot properly, to the point of having network connectivity and running services.

    I can't say the same for my Linux systems that run a distro that uses systemd. I've had those systems fail to boot much too often thanks to problems with systemd.

    Maybe this is just systemd doing me a favor and protecting my Linux systems, though? After all, a Linux installation that doesn't boot far enough to mount the filesystems properly likely won't have network connectivity, and likely won't have any services running that might be susceptible to attack.

    Give Linux Mint a try. Cinnamon became my favorite; only to find it as close to a Windows setup one's going to get (ie: WinKey+E open a file explorer). KDE is my goal but must learn Linux first.

    And yes I and many others dual boot.

  25. RT7 lite/NTLite is the answer by Anonymous Coward · · Score: 0

    Remove the SMB service from the ISO before install.

  26. RT7 lite by Anonymous Coward · · Score: 0

    Open ISO, remove said components from ISO, install

  27. NFS? by Anonymous Coward · · Score: 0

    Use NFS.

    1. Re:NFS? by Anonymous Coward · · Score: 0

      To that end, do you know of any good NFS (v4) for Windows? The solution I found was from some university and required compiling it on a Windows system and diving into esoteric BS that frankly I can't be bothered to do to support a broken OS.

      It was straightforward on GNU/Linux and OS X and works with no issues there.

    2. Re: NFS? by Anonymous Coward · · Score: 0

      Really? NFSv4 always kernel panics under any kind of workload here. Which magic fairy dust version are you using?

  28. Re:You weren't born gay. God doesn't make mistakes by Anonymous Coward · · Score: 0

    [non-biblical citation needed]

  29. Re:At least those Windows systems boot fine... by Reziac · · Score: 1

    Try the Trinity desktop. Operationally closer to Windows than is Cinnamon, and more configurable. (Admittedly I miss Win+E, but that can probably be fixed.)

    I've been hunting for a linux I could love since 1998, and always they're too buggy or too annoying... but I think I've finally found it in PCLinusOS with Trinity desktop.

    http://trinity.mypclinuxos.com...

    --
    ~REZ~ #43301. Who'd fake being me anyway?
  30. Re:At least those Windows systems boot fine... by Anonymous Coward · · Score: 0

    I might go back to LXDE some day. My "safe" desktop is Mate.

    Last year they added a 0.1 version utility to set hotkeys. (it's in debian 9 as part of the deb package). Nice little thing, since editing the xml for openbox is a bit of a silly pain. I need my alt-f9 for minimizing.

    https://blog.lxde.org/2016/11/...

    LXDE does understand Win + D, the only dumb thing is Win key alone doesn't open the start menu, you need to hit ctrl-esc instead. I'd have to try remapping X11-wide the Win key to ctrl-esc and see if it prevent the Win + key shortcuts. Duh!
    Tip : if you try to use Lubuntu, you'll notice the icons are butt ugly. Bunch of gray in the start menu. To fix the ugly desktop, change the icon theme to a normal-looking one (e.g. "Adwaita" might be installed already). i.e. I think Mate, LXDE, XFCE etc. desktops work well enough that icon themes and similar are much of what should dictate choice of desktop and distro.
    This is so important that I wanted to let ./ know about it :)

    I did try q4os : it's a debian with a company behind it that uses Trinity desktop and can look really much like Windows XP. I think it's a bit pointless since the friendly features (super easy software installer with almost nothing in it) and familiarity don't really help. Might be good though for its stated niche : end user desktop in professional business setting where it's the sysadmin that provides the stuff (perhaps the special packages?) and the user only provides the work.

  31. Re:At least those Windows systems boot fine... by Anonymous Coward · · Score: 0

    Give Linux Mint a try. Cinnamon became my favorite; only to find it as close to a Windows setup one's going to get (ie: WinKey+E open a file explorer). KDE is my goal but must learn Linux first.

    And yes I and many others dual boot.

    I'm back to mint on my home desktop. I was running 10 to use Sketchup. I got Win 10 to run with opengl acceleration in VMWare player, though admittedly I haven't worked with it much yet. EIther way, it seems to run sketchup. I'm not aware of any other virtualization solution that supports opengl 3.x acceleration that easily.

    One thing I'd like Mint to do, and linux in general, is to use the same hot key combo to lock the screen.

  32. Re:At least those Windows systems boot fine... by Reziac · · Score: 1

    I tried q4os and exegnu (or whatever it's called) too, but found PCLOS slightly more polished. I liked KDE3/4 (which Trinity follows from) but find KDE5 endlessly frustrating, so it was off to Trinity for me. The other desktops are okay (except Gnome, which I hate) but I find them too limiting; I can't get things quite how I want 'em, either for appearance (when you stare at it all day, this matters) or just How Things Work. If I'm going to have a simplified setup, I prefer JWM.

    Thanks for the tip on the hotkey app; downloaded and I'll give it a look.

    I've seen LXDE setups that looked nice, and others that were what-were-they-smoking! Me, I *loathe* Adwaita (and all the "modern" flat pastel looks) and usually wind up with a weird hybrid of Oxygen and Plastik, just to get some color and texture back. You'd probably hate my desktop. :)

    http://www.doomgold.com/images...

    --
    ~REZ~ #43301. Who'd fake being me anyway?