November 12, 2009, 2:03 PM — I do wonder sometimes about Microsoft's quality assurance. No, I tell a lie. I always wonder about Microsoft's quality assurance. As in, "How can they keep making mistakes like this?" In the latest, a new SMB vulnerability has been found and exploited that can lock-up any Windows 7 or Server 2008 R2 system.
As reported in ComputerWorld, Laurent Gaffie posted details of the vulnerabilities, along with proof-of-concept exploit code, to the Full Disclosure security mailing list today, as well as to his personal blog. Gaffie claimed that his exploit crashes the kernel in Windows 7 and its server sibling, Windows Server 2008 R2, triggering an infinite loop. Or, as he puts in so well in the exploit's code: "'Most Secure Os Ever' --> Remote Kernel in 2 mn. #FAIL,#FAIL,#FAIL"
He's right. It is a major fail. I tested it on my machines and, as predicted, it locked my Windows 7 or Server 2008 R2 systems up so badly that my only choice was to pull the plug. This exploit does nothing, however, to older versions of Windows. It bounced off my Windows XP SP3 and Server 2003 and Server 2008 systems.
SMB (Server Message Block), for those of you who aren't network administrators, is the fundamental protocol that's used in Windows for sharing files and printers. If you're running a Windows network you can no more avoid using it than you can avoid using HTTP (hyper-text transfer protocol) on the Web.
If you're thinking, "Didn't Microsoft just have another SMB bug?" Yes, you're right. They did. That security problem was in SMB2, the newer, fancier version of SMB. That bug was patched in the October 2009 Windows patch-a-thon.
The good news about the new SMB bug is that while the attack can be launched within a LAN (local area network), or on Windows 7 machines via Internet Explorer with a rigged to blow SMB packet, the only thing it can be used for is to knock a machine out. You can't use it, like you can the recently patched Windows' EOT (Embedded OpenType) font security hole, to take over a Windows PC. That means it's unlikely to be used by malware creators.
Microsoft acknowledges that they're looking into it, and if they think they're a real problem, they'll fix it. Ah, sorry, there is a real problem.
So, while Microsoft dithers, what can you do about the problem? Well, first, your firewall should already block the SMB protocols from the Internet.