November 12, 2009, 2:03 PM — I do wonder sometimes about Microsoft's quality assurance. No, I tell a lie. I always wonder about Microsoft's quality assurance. As in, "How can they keep making mistakes like this?" In the latest, a new SMB vulnerability has been found and exploited that can lock-up any Windows 7 or Server 2008 R2 system.
As reported in ComputerWorld, Laurent Gaffie posted details of the vulnerabilities, along with proof-of-concept exploit code, to the Full Disclosure security mailing list today, as well as to his personal blog. Gaffie claimed that his exploit crashes the kernel in Windows 7 and its server sibling, Windows Server 2008 R2, triggering an infinite loop. Or, as he puts in so well in the exploit's code: "'Most Secure Os Ever' --> Remote Kernel in 2 mn. #FAIL,#FAIL,#FAIL"
He's right. It is a major fail. I tested it on my machines and, as predicted, it locked my Windows 7 or Server 2008 R2 systems up so badly that my only choice was to pull the plug. This exploit does nothing, however, to older versions of Windows. It bounced off my Windows XP SP3 and Server 2003 and Server 2008 systems.
SMB (Server Message Block), for those of you who aren't network administrators, is the fundamental protocol that's used in Windows for sharing files and printers. If you're running a Windows network you can no more avoid using it than you can avoid using HTTP (hyper-text transfer protocol) on the Web.
If you're thinking, "Didn't Microsoft just have another SMB bug?" Yes, you're right. They did. That security problem was in SMB2, the newer, fancier version of SMB. That bug was patched in the October 2009 Windows patch-a-thon.
The good news about the new SMB bug is that while the attack can be launched within a LAN (local area network), or on Windows 7 machines via Internet Explorer with a rigged to blow SMB packet, the only thing it can be used for is to knock a machine out. You can't use it, like you can the recently patched Windows' EOT (Embedded OpenType) font security hole, to take over a Windows PC. That means it's unlikely to be used by malware creators.
Microsoft acknowledges that they're looking into it, and if they think they're a real problem, they'll fix it. Ah, sorry, there is a real problem.
So, while Microsoft dithers, what can you do about the problem? Well, first, your firewall should already block the SMB protocols from the Internet. If you want to share files over the Internet there are far, far safer ways to do it than extending Windows-style networking over the Internet such as ssh with programs like Openssh; ftp with clients like FileZilla; Google Docs; etc. etc. etc.
Inside your LAN, just keep an eye out for a rash of unexplained Windows 7 or Server 2008 R2 failures. If you start seeing that kind of thing you may have a staffer with a grudge who knows how to use this trick to cause trouble. With a network protocol analyzer, such as my own personal favorite, WireShark, it shouldn't take you long to finger the culprit.
Oh, and Microsoft, hurry up and fix this. OK? This is embarrassingly bad.
